salman/igny8
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a267fc071522525ccc79c53992a87d367c998a53
igny8/backend/igny8_core/api/authentication.py
IGNY8 VPS (Salman) a267fc0715 Fix authentication: Ensure correct user/account is loaded 
- JWTAuthentication now uses select_related('account', 'account__plan') to get fresh user data
- Added check to use user's current account if it differs from token's account_id
- This ensures correct user/account is shown even if account changed after token was issued
- Fixes bug where wrong user was displayed after login
2025-11-16 19:28:37 +00:00

99 lines
3.8 KiB
Python
Raw Blame History

"""
Custom authentication classes for DRF
"""
from rest_framework.authentication import SessionAuthentication, BaseAuthentication
from rest_framework.exceptions import AuthenticationFailed
import jwt
class CSRFExemptSessionAuthentication(SessionAuthentication):
"""
Session authentication that doesn't enforce CSRF for API endpoints.
This is safe for API usage since we're using session cookies and proper CORS settings.
"""
def enforce_csrf(self, request):
"""
Override to skip CSRF enforcement for API endpoints.
"""
return # Skip CSRF check
class JWTAuthentication(BaseAuthentication):
"""
JWT token authentication for DRF.
Extracts JWT token from Authorization header and validates it.
"""
def authenticate(self, request):
"""
Authenticate the request and return a two-tuple of (user, token).
"""
auth_header = request.META.get('HTTP_AUTHORIZATION', '')
if not auth_header.startswith('Bearer '):
return None # No JWT token, let other auth classes handle it
token = auth_header.split(' ')[1] if len(auth_header.split(' ')) > 1 else None
if not token:
return None
try:
from igny8_core.auth.utils import decode_token
from igny8_core.auth.models import User, Account
# Decode and validate token
payload = decode_token(token)
# Verify it's an access token
if payload.get('type') != 'access':
# Invalid token type - return None to allow other auth classes to try
return None
# Get user
user_id = payload.get('user_id')
if not user_id:
# Invalid token payload - return None to allow other auth classes to try
return None
try:
# Refresh user from DB with account and plan relationships to get latest data
# This ensures changes to account/plan are reflected immediately without re-login
user = User.objects.select_related('account', 'account__plan').get(id=user_id)
except User.DoesNotExist:
# User not found - return None to allow other auth classes to try
return None
# Get account from token
account_id = payload.get('account_id')
account = None
if account_id:
try:
account = Account.objects.get(id=account_id)
# If user's account changed, use the new one from user object (most up-to-date)
# This ensures we always use the user's current account, not a stale token account_id
if user.account and user.account.id != account_id:
account = user.account
except Account.DoesNotExist:
# Account from token doesn't exist - use user's account instead
pass
if not account:
try:
account = getattr(user, 'account', None)
except (AttributeError, Exception):
# If account access fails, set to None
account = None
# Set account on request
request.account = account
return (user, token)
except jwt.InvalidTokenError:
# Invalid or expired token - return None to allow other auth classes (session) to try
return None
except Exception as e:
# Other errors - return None to allow other auth classes to try
# This allows session authentication to work if JWT fails
return None
Reference in New Issue View Git Blame Copy Permalink