salman/igny8
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Fix authentication: Follow unified API model - token account_id is authoritative"

Browse Source 
This reverts commit 8171014a7e.
This commit is contained in:
Desktop
2025-11-17 01:35:26 +05:00
parent 79aab68acd
commit c4daeb1870
2 changed files with 32 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
backend/igny8_core/api/authentication.py
View File

@@ -62,18 +62,32 @@ class JWTAuthentication(BaseAuthentication):
# User not found - return None to allow other auth classes to try # User not found - return None to allow other auth classes to try
return None return None
# Get account from token (token's account_id is authoritative per unified API model) # Get account from token (token's account_id is authoritative for current context)
# Unified API Standard: Token contains account_id, middleware extracts and sets request.account
account_id = payload.get('account_id') account_id = payload.get('account_id')
account = None account = None
if account_id: if account_id:
try: try:
account = Account.objects.get(id=account_id) account = Account.objects.get(id=account_id)
# Verify user has access to this account
# For developers/admins, they can access any account
# For regular users, verify they belong to this account
if not user.is_admin_or_developer() and not user.is_system_account_user():
# Regular user - must belong to this account
if user.account and user.account.id != account_id:
# User doesn't belong to token's account - use user's account instead
account = user.account
except Account.DoesNotExist: except Account.DoesNotExist:
# Account from token doesn't exist - set to None # Account from token doesn't exist - use user's account instead
pass
if not account:
try:
account = getattr(user, 'account', None)
except (AttributeError, Exception):
# If account access fails, set to None
account = None account = None
# Set account on request (unified API model: token's account_id is authoritative) # Set account on request
request.account = account request.account = account
return (user, token) return (user, token)

19
backend/igny8_core/auth/middleware.py
View File

@@ -99,14 +99,21 @@ class AccountContextMiddleware(MiddlewareMixin):
user = User.objects.select_related('account', 'account__plan').get(id=user_id) user = User.objects.select_related('account', 'account__plan').get(id=user_id)
request.user = user request.user = user
if account_id: if account_id:
# Unified API Standard: Extract account_id from JWT, load Account object, set request.account # Verify account still exists
# Token's account_id is authoritative - no validation against user.account
try:
account = Account.objects.get(id=account_id) account = Account.objects.get(id=account_id)
# Token's account_id is authoritative for current context
# For developers/admins, they can access any account
# For regular users, verify they belong to this account
if not user.is_admin_or_developer() and not user.is_system_account_user():
# Regular user - must belong to this account
if user.account and user.account.id != account_id:
# User doesn't belong to token's account - use user's account instead
request.account = user.account
else:
request.account = account
else:
# Developer/admin/system user - use token's account (they can access any)
request.account = account request.account = account
except Account.DoesNotExist:
# Account from token doesn't exist - set to None
request.account = None
else: else:
try: try:
user_account = getattr(user, 'account', None) user_account = getattr(user, 'account', None)