From 46b5b5f1b2f9ba4d4f1dfffae2045758ac649339 Mon Sep 17 00:00:00 2001 From: "IGNY8 VPS (Salman)" Date: Sun, 16 Nov 2025 19:34:02 +0000 Subject: [PATCH] Fix authentication: Use token's account_id as authoritative source - Token's account_id is now authoritative for current account context - For developers/admins: Always use token's account_id (they can access any account) - For regular users: Verify they belong to token's account, fallback to user.account if not - This ensures correct account context is set, especially for developers working across accounts - Fixes bug where wrong user/account was shown after login --- backend/igny8_core/api/authentication.py | 14 +++++++++----- backend/igny8_core/auth/middleware.py | 16 ++++++++++++---- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/backend/igny8_core/api/authentication.py b/backend/igny8_core/api/authentication.py index e3930a88..723abeef 100644 --- a/backend/igny8_core/api/authentication.py +++ b/backend/igny8_core/api/authentication.py @@ -62,16 +62,20 @@ class JWTAuthentication(BaseAuthentication): # User not found - return None to allow other auth classes to try return None - # Get account from token + # Get account from token (token's account_id is authoritative for current context) account_id = payload.get('account_id') account = None if account_id: try: account = Account.objects.get(id=account_id) - # If user's account changed, use the new one from user object (most up-to-date) - # This ensures we always use the user's current account, not a stale token account_id - if user.account and user.account.id != account_id: - account = user.account + # Verify user has access to this account + # For developers/admins, they can access any account + # For regular users, verify they belong to this account + if not user.is_admin_or_developer() and not user.is_system_account_user(): + # Regular user - must belong to this account + if user.account and user.account.id != account_id: + # User doesn't belong to token's account - use user's account instead + account = user.account except Account.DoesNotExist: # Account from token doesn't exist - use user's account instead pass diff --git a/backend/igny8_core/auth/middleware.py b/backend/igny8_core/auth/middleware.py index 1bcdd16f..5b82fb26 100644 --- a/backend/igny8_core/auth/middleware.py +++ b/backend/igny8_core/auth/middleware.py @@ -99,12 +99,20 @@ class AccountContextMiddleware(MiddlewareMixin): user = User.objects.select_related('account', 'account__plan').get(id=user_id) request.user = user if account_id: - # Verify account still exists and matches user + # Verify account still exists account = Account.objects.get(id=account_id) - # If user's account changed, use the new one from user object - if user.account and user.account.id != account_id: - request.account = user.account + # Token's account_id is authoritative for current context + # For developers/admins, they can access any account + # For regular users, verify they belong to this account + if not user.is_admin_or_developer() and not user.is_system_account_user(): + # Regular user - must belong to this account + if user.account and user.account.id != account_id: + # User doesn't belong to token's account - use user's account instead + request.account = user.account + else: + request.account = account else: + # Developer/admin/system user - use token's account (they can access any) request.account = account else: try: