Fix authentication: Follow unified API model - token account_id is authoritative

- Simplified authentication logic to match unified API documentation - Token's account_id is now the sole source of truth for account context - Removed validation against user.account (no longer valid per unified API model) - Middleware now simply extracts account_id from JWT and sets request.account - Matches documented flow: Extract Account ID → Load Account Object → Set request.account
2025-11-16 19:36:18 +00:00
parent 46b5b5f1b2
commit 8171014a7e
2 changed files with 11 additions and 32 deletions
--- a/backend/igny8_core/api/authentication.py
+++ b/backend/igny8_core/api/authentication.py
@@ -62,32 +62,18 @@ class JWTAuthentication(BaseAuthentication):
                # User not found - return None to allow other auth classes to try
                return None
            
-            # Get account from token (token's account_id is authoritative for current context)
+            # Get account from token (token's account_id is authoritative per unified API model)
+            # Unified API Standard: Token contains account_id, middleware extracts and sets request.account
            account_id = payload.get('account_id')
            account = None
            if account_id:
                try:
                    account = Account.objects.get(id=account_id)
-                    # Verify user has access to this account
-                    # For developers/admins, they can access any account
-                    # For regular users, verify they belong to this account
-                    if not user.is_admin_or_developer() and not user.is_system_account_user():
-                        # Regular user - must belong to this account
-                        if user.account and user.account.id != account_id:
-                            # User doesn't belong to token's account - use user's account instead
-                            account = user.account
                except Account.DoesNotExist:
-                    # Account from token doesn't exist - use user's account instead
-                    pass
-            
-            if not account:
-                try:
-                    account = getattr(user, 'account', None)
-                except (AttributeError, Exception):
-                    # If account access fails, set to None
+                    # Account from token doesn't exist - set to None
                    account = None
            
-            # Set account on request
+            # Set account on request (unified API model: token's account_id is authoritative)
            request.account = account
            
            return (user, token)