Improve the frontend and fix TODOs

2025-10-24 13:05:04 +02:00
parent 07c33fa578
commit 61376b7a9f
100 changed files with 8284 additions and 3419 deletions
--- a/services/notification/app/api/notification_operations.py
+++ b/services/notification/app/api/notification_operations.py
@@ -563,19 +563,46 @@ async def stream_notifications(
    Supports alerts and recommendations through unified stream
    """

-    # Validate token and get user (skip for now to test connection)
-    # TODO: Add proper token validation in production
+    # Validate token and get user
    current_user = None
    if token:
        try:
-            # In a real implementation, validate the JWT token here
-            # For now, skip validation to test the connection
-            pass
-        except Exception:
-            raise HTTPException(401, "Invalid token")
+            from shared.auth.jwt_handler import JWTHandler
+            from app.core.config import settings

-    # Skip tenant access validation for testing
-    # TODO: Add tenant access validation in production
+            jwt_handler = JWTHandler(settings.JWT_SECRET_KEY)
+            payload = jwt_handler.decode_access_token(token)
+
+            if not payload:
+                raise HTTPException(
+                    status_code=status.HTTP_401_UNAUTHORIZED,
+                    detail="Invalid or expired token"
+                )
+
+            current_user = payload
+
+        except Exception as e:
+            logger.warning("Token validation failed", error=str(e))
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid or expired token"
+            )
+    else:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Authentication token required"
+        )
+
+    # Validate tenant access
+    user_tenant_id = current_user.get('tenant_id')
+    if user_tenant_id and str(user_tenant_id) != str(tenant_id):
+        logger.warning("Tenant access denied",
+                      user_tenant_id=user_tenant_id,
+                      requested_tenant_id=tenant_id)
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Access denied to this tenant's notifications"
+        )

    # Get SSE service from app state
    sse_service = getattr(request.app.state, 'sse_service', None)