Add improvements

2026-01-12 14:24:14 +01:00
parent 6037faaf8c
commit 230bbe6a19
61 changed files with 1668 additions and 894 deletions
--- a/shared/auth/decorators.py
+++ b/shared/auth/decorators.py
@@ -343,7 +343,13 @@ def get_current_tenant_id(request: Request) -> Optional[str]:
 def extract_user_from_headers(request: Request) -> Optional[Dict[str, Any]]:
    """Extract user information from forwarded headers (gateway sets these)"""
    user_id = request.headers.get("x-user-id")
+    logger.info(f"🔍 Extracting user from headers",
+               user_id=user_id,
+               has_user_id=bool(user_id),
+               path=request.url.path)
+
    if not user_id:
+        logger.warning(f"❌ No x-user-id header found", path=request.url.path)
        return None

    user_context = {
@@ -359,6 +365,10 @@ def extract_user_from_headers(request: Request) -> Optional[Dict[str, Any]]:
        "demo_account_type": request.headers.get("x-demo-account-type", "")
    }

+    logger.info(f"✅ User context extracted from headers",
+               user_context=user_context,
+               path=request.url.path)
+
    # ✅ ADD THIS: Handle service tokens properly
    user_type = request.headers.get("x-user-type", "")
    service_name = request.headers.get("x-service-name", "")
@@ -448,17 +458,18 @@ def extract_user_from_jwt(auth_header: str) -> Optional[Dict[str, Any]]:
 async def get_current_user_dep(request: Request) -> Dict[str, Any]:
    """FastAPI dependency to get current user - ENHANCED with JWT fallback for services"""
    try:
-        # Log all incoming headers for debugging 401 issues
-        logger.debug(
-            "Authentication attempt",
+        # Enhanced logging for debugging
+        logger.info(
+            "🔐 Authentication attempt",
            path=request.url.path,
            method=request.method,
            has_auth_header=bool(request.headers.get("authorization")),
            has_x_user_id=bool(request.headers.get("x-user-id")),
-            has_x_user_type=bool(request.headers.get("x-user-type")),
-            has_x_service_name=bool(request.headers.get("x-service-name")),
-            x_user_type=request.headers.get("x-user-type", ""),
-            x_service_name=request.headers.get("x-service-name", ""),
+            has_x_is_demo=bool(request.headers.get("x-is-demo")),
+            has_x_demo_session_id=bool(request.headers.get("x-demo-session-id")),
+            x_user_id=request.headers.get("x-user-id", "MISSING"),
+            x_is_demo=request.headers.get("x-is-demo", "MISSING"),
+            x_demo_session_id=request.headers.get("x-demo-session-id", "MISSING"),
            client_ip=request.client.host if request.client else "unknown"
        )

--- a/shared/auth/jwt_handler.py
+++ b/shared/auth/jwt_handler.py
@@ -126,24 +126,47 @@ class JWTHandler:
        logger.debug(f"Created refresh token for user {user_data['user_id']}")
        return encoded_jwt

-    def create_service_token(self, service_name: str, expires_delta: Optional[timedelta] = None) -> str:
+    def create_service_token(
+        self, 
+        service_name: str, 
+        expires_delta: Optional[timedelta] = None,
+        tenant_id: Optional[str] = None
+    ) -> str:
        """
        Create JWT SERVICE token for inter-service communication
-        ✅ FIXED: Service tokens have proper service account structure
+        ✅ UNIFIED: Single source of truth for all service token creation
+        ✅ ENHANCED: Supports tenant context for tenant-scoped operations
+        
+        Args:
+            service_name: Name of the service (e.g., 'auth-service', 'demo-session')
+            expires_delta: Optional expiration time (defaults to 1 hour for inter-service calls)
+            tenant_id: Optional tenant ID for tenant-scoped service operations
+        
+        Returns:
+            Encoded JWT service token
        """
        to_encode = {
            "sub": service_name,
+            "user_id": f"{service_name}-service",
+            "email": f"{service_name}-service@internal",
            "service": service_name,
            "type": "service",
-            "role": "admin",
-            "is_service": True
+            "role": "admin",  # Services have admin privileges
+            "is_service": True,
+            "full_name": f"{service_name.title()} Service",
+            "is_verified": True,
+            "is_active": True
        }

-        # Set expiration
+        # Include tenant context when provided for tenant-scoped operations
+        if tenant_id:
+            to_encode["tenant_id"] = tenant_id
+
+        # Set expiration (default to 1 hour for inter-service calls)
        if expires_delta:
            expire = datetime.now(timezone.utc) + expires_delta
        else:
-            expire = datetime.now(timezone.utc) + timedelta(days=365)
+            expire = datetime.now(timezone.utc) + timedelta(hours=1)  # 1 hour default
        
        to_encode.update({
            "exp": expire,
@@ -152,7 +175,7 @@ class JWTHandler:
        })
        
        encoded_jwt = jwt.encode(to_encode, self.secret_key, algorithm=self.algorithm)
-        logger.debug(f"Created service token for service {service_name}")
+        logger.debug(f"Created service token for service {service_name}", tenant_id=tenant_id)
        return encoded_jwt
    
    def verify_token(self, token: str) -> Optional[Dict[str, Any]]:
@@ -230,42 +253,7 @@ class JWTHandler:

        return None
    
-    def create_service_token(self, service_name: str, expires_delta: Optional[timedelta] = None) -> str:
-        """
-        Create JWT token for service-to-service communication

-        Args:
-            service_name: Name of the service (e.g., 'auth-service', 'tenant-service')
-            expires_delta: Optional expiration time (defaults to 365 days for services)
-
-        Returns:
-            Encoded JWT service token
-        """
-        to_encode = {
-            "sub": service_name,
-            "user_id": service_name,
-            "service": service_name,
-            "type": "service",
-            "is_service": True,
-            "role": "admin",  # Services have admin privileges
-            "email": f"{service_name}@internal.service"
-        }
-
-        # Set expiration (default to 1 year for service tokens)
-        if expires_delta:
-            expire = datetime.now(timezone.utc) + expires_delta
-        else:
-            expire = datetime.now(timezone.utc) + timedelta(days=365)
-
-        to_encode.update({
-            "exp": expire,
-            "iat": datetime.now(timezone.utc),
-            "iss": "bakery-auth"
-        })
-
-        encoded_jwt = jwt.encode(to_encode, self.secret_key, algorithm=self.algorithm)
-        logger.info(f"Created service token for {service_name}")
-        return encoded_jwt

    def get_token_info(self, token: str) -> Dict[str, Any]:
        """