diff --git a/gateway/app/middleware/auth.py b/gateway/app/middleware/auth.py index 216ad089..7c297b96 100644 --- a/gateway/app/middleware/auth.py +++ b/gateway/app/middleware/auth.py @@ -205,6 +205,7 @@ class AuthMiddleware(BaseHTTPMiddleware): if payload.get("service"): base_context["service"] = payload["service"] base_context["type"] = "service" + base_context["role"] = "service" logger.debug(f"Service authentication: {payload['service']}") return base_context diff --git a/services/tenant/app/api/tenants.py b/services/tenant/app/api/tenants.py index bbe3fbf5..f6a07735 100644 --- a/services/tenant/app/api/tenants.py +++ b/services/tenant/app/api/tenants.py @@ -54,7 +54,7 @@ async def verify_tenant_access( ): """Verify if user has access to tenant - Called by Gateway""" # Check if this is a service request - if user_id in ["training-service", "data-service", "forecasting-service"]: + if user_id in ["training-service", "data-service", "forecasting-service", "auth-service"]: # Services have access to all tenants for their operations return TenantAccessResponse( has_access=True, @@ -295,6 +295,7 @@ async def get_user_tenants( _admin_check = Depends(require_admin_role), db: AsyncSession = Depends(get_db) ): + """Get all tenant memberships for a user (admin only)""" try: user_uuid = uuid.UUID(user_id) diff --git a/shared/clients/base_service_client.py b/shared/clients/base_service_client.py index 43bcccce..f411ac2f 100644 --- a/shared/clients/base_service_client.py +++ b/shared/clients/base_service_client.py @@ -43,7 +43,7 @@ class ServiceAuthenticator: "sub": f"{self.service_name}-service", "user_id": f"{self.service_name}-service", "email": f"{self.service_name}-service@internal", - "type": "access", + "type": "service", "exp": token_expires_at, "iat": current_time, "iss": f"{self.service_name}-service",