asdasd

backend/igny8_core/auth/middleware.py

@@ -31,6 +31,14 @@ class AccountContextMiddleware(MiddlewareMixin):
         # First, try to get user from Django session (cookie-based auth)
         # This handles cases where frontend uses credentials: 'include' with session cookies
         if hasattr(request, 'user') and request.user and request.user.is_authenticated:
+            # Block superuser access via session on non-admin routes (JWT required)
+            auth_header = request.META.get('HTTP_AUTHORIZATION', '')
+            if request.user.is_superuser and not auth_header.startswith('Bearer '):
+                logout(request)
+                return JsonResponse(
+                    {'success': False, 'error': 'Session authentication not allowed for API. Use JWT.'},
+                    status=status.HTTP_403_FORBIDDEN,
+                )
             # User is authenticated via session - refresh from DB to get latest account/plan data
             # This ensures changes to account/plan are reflected immediately without re-login
             try: