From 9f3c4a6cdd53c470871b1f496c6e6522453deb08 Mon Sep 17 00:00:00 2001
From: "IGNY8 VPS (Salman)" <vps@igny8.com>
Date: Sun, 16 Nov 2025 19:49:55 +0000
Subject: [PATCH] Fix middleware: Don't set request.user, only request.account

- Middleware should only set request.account, not request.user
- Let DRF authentication handle request.user setting
- This prevents conflicts between middleware and DRF authentication
- Fixes /me endpoint returning wrong user issue
---
 backend/igny8_core/auth/middleware.py | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/backend/igny8_core/auth/middleware.py b/backend/igny8_core/auth/middleware.py
index 1bcdd16f..1e6bb292 100644
--- a/backend/igny8_core/auth/middleware.py
+++ b/backend/igny8_core/auth/middleware.py
@@ -76,7 +76,6 @@ class AccountContextMiddleware(MiddlewareMixin):
             if not JWT_AVAILABLE:
                 # JWT library not installed yet - skip for now
                 request.account = None
-                request.user = None
                 return None
             
             # Decode JWT token with signature verification
@@ -94,10 +93,9 @@ class AccountContextMiddleware(MiddlewareMixin):
             if user_id:
                 from .models import User, Account
                 try:
-                    # Refresh user from DB with account and plan relationships to get latest data
-                    # This ensures changes to account/plan are reflected immediately without re-login
+                    # Get user from DB (but don't set request.user - let DRF authentication handle that)
+                    # Only set request.account for account context
                     user = User.objects.select_related('account', 'account__plan').get(id=user_id)
-                    request.user = user
                     if account_id:
                         # Verify account still exists and matches user
                         account = Account.objects.get(id=account_id)
@@ -118,18 +116,14 @@ class AccountContextMiddleware(MiddlewareMixin):
                             request.account = None
                 except (User.DoesNotExist, Account.DoesNotExist):
                     request.account = None
-                    request.user = None
             else:
                 request.account = None
-                request.user = None
                 
         except jwt.InvalidTokenError:
             request.account = None
-            request.user = None
         except Exception:
             # Fail silently for now - allow unauthenticated access
             request.account = None
-            request.user = None
         
         return None