Fix authentication: Use token's account_id as authoritative source

- Token's account_id is now authoritative for current account context - For developers/admins: Always use token's account_id (they can access any account) - For regular users: Verify they belong to token's account, fallback to user.account if not - This ensures correct account context is set, especially for developers working across accounts - Fixes bug where wrong user/account was shown after login
2025-11-16 19:34:02 +00:00
parent a267fc0715
commit 46b5b5f1b2
2 changed files with 21 additions and 9 deletions
--- a/backend/igny8_core/api/authentication.py
+++ b/backend/igny8_core/api/authentication.py
@@ -62,16 +62,20 @@ class JWTAuthentication(BaseAuthentication):
                # User not found - return None to allow other auth classes to try
                return None
            
-            # Get account from token
+            # Get account from token (token's account_id is authoritative for current context)
            account_id = payload.get('account_id')
            account = None
            if account_id:
                try:
                    account = Account.objects.get(id=account_id)
-                    # If user's account changed, use the new one from user object (most up-to-date)
-                    # This ensures we always use the user's current account, not a stale token account_id
-                    if user.account and user.account.id != account_id:
-                        account = user.account
+                    # Verify user has access to this account
+                    # For developers/admins, they can access any account
+                    # For regular users, verify they belong to this account
+                    if not user.is_admin_or_developer() and not user.is_system_account_user():
+                        # Regular user - must belong to this account
+                        if user.account and user.account.id != account_id:
+                            # User doesn't belong to token's account - use user's account instead
+                            account = user.account
                except Account.DoesNotExist:
                    # Account from token doesn't exist - use user's account instead
                    pass
--- a/backend/igny8_core/auth/middleware.py
+++ b/backend/igny8_core/auth/middleware.py
@@ -99,12 +99,20 @@ class AccountContextMiddleware(MiddlewareMixin):
                    user = User.objects.select_related('account', 'account__plan').get(id=user_id)
                    request.user = user
                    if account_id:
-                        # Verify account still exists and matches user
+                        # Verify account still exists
                        account = Account.objects.get(id=account_id)
-                        # If user's account changed, use the new one from user object
-                        if user.account and user.account.id != account_id:
-                            request.account = user.account
+                        # Token's account_id is authoritative for current context
+                        # For developers/admins, they can access any account
+                        # For regular users, verify they belong to this account
+                        if not user.is_admin_or_developer() and not user.is_system_account_user():
+                            # Regular user - must belong to this account
+                            if user.account and user.account.id != account_id:
+                                # User doesn't belong to token's account - use user's account instead
+                                request.account = user.account
+                            else:
+                                request.account = account
                        else:
+                            # Developer/admin/system user - use token's account (they can access any)
                            request.account = account
                    else:
                        try: