Improve the frontend and fix TODOs

shared/auth/decorators.py

@@ -374,12 +374,76 @@ def extract_tenant_from_headers(request: Request) -> Optional[str]:
     """Extract tenant ID from headers"""
     return request.headers.get("x-tenant-id")
 
+def extract_user_from_jwt(auth_header: str) -> Optional[Dict[str, Any]]:
+    """
+    Extract user information from JWT token
+    This is a fallback for when gateway doesn't inject x-user-* headers
+    """
+    try:
+        from jose import jwt
+        from shared.config.base import is_internal_service
+
+        # Remove "Bearer " prefix
+        token = auth_header.replace("Bearer ", "").strip()
+
+        # Decode without verification (we trust tokens from gateway)
+        # In production, you'd verify with the secret key
+        payload = jwt.decode(token, key="dummy", options={"verify_signature": False})
+
+        logger.debug("JWT payload decoded", payload_keys=list(payload.keys()))
+
+        # Extract user information from JWT payload
+        user_id = payload.get("sub") or payload.get("user_id") or payload.get("service")
+
+        if not user_id:
+            logger.warning("No user_id found in JWT payload", payload=payload)
+            return None
+
+        # Check if this is a service token
+        token_type = payload.get("type", "")
+        service_name = payload.get("service", "")
+
+        if token_type == "service" or is_internal_service(user_id) or is_internal_service(service_name):
+            # This is a service token
+            service_identifier = service_name or user_id
+            user_context = {
+                "user_id": service_identifier,
+                "type": "service",
+                "service": service_identifier,
+                "role": "admin",  # Services get admin privileges
+                "is_service": True,
+                "permissions": ["read", "write", "admin"],
+                "email": f"{service_identifier}@internal.service",
+                "full_name": f"{service_identifier.replace('-', ' ').title()}"
+            }
+            logger.info("Service authenticated via JWT", service=service_identifier)
+        else:
+            # This is a user token
+            user_context = {
+                "user_id": user_id,
+                "type": "user",
+                "email": payload.get("email", ""),
+                "role": payload.get("role", "user"),
+                "tenant_id": payload.get("tenant_id"),
+                "permissions": payload.get("permissions", []),
+                "full_name": payload.get("full_name", ""),
+                "subscription_tier": payload.get("subscription_tier", ""),
+                "is_service": False
+            }
+            logger.info("User authenticated via JWT", user_id=user_id)
+
+        return user_context
+
+    except Exception as e:
+        logger.error("Failed to extract user from JWT", error=str(e), error_type=type(e).__name__)
+        return None
+
 # ================================================================
 # FASTAPI DEPENDENCY FUNCTIONS
 # ================================================================
 
 async def get_current_user_dep(request: Request) -> Dict[str, Any]:
-    """FastAPI dependency to get current user - ENHANCED with detailed logging"""
+    """FastAPI dependency to get current user - ENHANCED with JWT fallback for services"""
     try:
         # Log all incoming headers for debugging 401 issues
         logger.debug(
@@ -395,7 +459,27 @@ async def get_current_user_dep(request: Request) -> Dict[str, Any]:
             client_ip=request.client.host if request.client else "unknown"
         )
 
-        user = get_current_user(request)
+        # Try to get user from headers first (preferred method)
+        user = None
+        try:
+            user = get_current_user(request)
+        except HTTPException:
+            # If headers are missing, try JWT token as fallback
+            auth_header = request.headers.get("authorization", "")
+            if auth_header.startswith("Bearer "):
+                user = extract_user_from_jwt(auth_header)
+                if user:
+                    logger.info(
+                        "User authenticated via JWT fallback",
+                        user_id=user.get("user_id"),
+                        user_type=user.get("type", "user"),
+                        is_service=user.get("type") == "service",
+                        path=request.url.path
+                    )
+
+            # If still no user, raise original exception
+            if not user:
+                raise
 
         logger.info(
             "User authenticated successfully",
@@ -415,6 +499,7 @@ async def get_current_user_dep(request: Request) -> Dict[str, Any]:
             status_code=e.status_code,
             detail=e.detail,
             has_x_user_id=bool(request.headers.get("x-user-id")),
+            has_auth_header=bool(request.headers.get("authorization")),
             x_user_type=request.headers.get("x-user-type", "none"),
             x_service_name=request.headers.get("x-service-name", "none"),
             client_ip=request.client.host if request.client else "unknown"
@@ -596,9 +681,10 @@ __all__ = [
     'get_current_user',
     'get_current_tenant_id',
     'extract_user_from_headers',
+    'extract_user_from_jwt',
     'extract_tenant_from_headers',
     'is_admin_user',
     'is_user_in_roles',
     'get_user_permissions',
     'has_permission'
-]
+]