bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix user delete flow 9

Browse Source
This commit is contained in:
Urtzi Alfaro
2025-08-02 23:29:18 +02:00
parent 826df76029
commit abe74f32f8
6 changed files with 49 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
gateway/app/middleware/auth.py
View File

@@ -304,11 +304,28 @@ class AuthMiddleware(BaseHTTPMiddleware):
b"x-user-email", user_context["email"].encode() b"x-user-email", user_context["email"].encode()
)) ))
user_role = user_context.get("role", "user")
request.headers.__dict__["_list"].append((
b"x-user-role", user_role.encode()
))
user_type = user_context.get("type", "")
if user_type:
request.headers.__dict__["_list"].append((
b"x-user-type", user_type.encode()
))
service_name = user_context.get("service", "")
if service_name:
request.headers.__dict__["_list"].append((
b"x-service-name", service_name.encode()
))
# Add tenant context if available # Add tenant context if available
if tenant_id: if tenant_id:
request.headers.__dict__["_list"].append(( request.headers.__dict__["_list"].append((
b"x-tenant-id", tenant_id.encode() b"x-tenant-id", tenant_id.encode()
)) ))
# Add gateway identification # Add gateway identification
request.headers.__dict__["_list"].append(( request.headers.__dict__["_list"].append((

6
services/auth/app/core/security.py
View File

@@ -100,6 +100,12 @@ class SecurityManager:
if "is_active" in user_data: if "is_active" in user_data:
payload["is_active"] = user_data["is_active"] payload["is_active"] = user_data["is_active"]
# ✅ CRITICAL FIX: Include role in access token!
if "role" in user_data:
payload["role"] = user_data["role"]
else:
payload["role"] = "user" # Default role if not specified
logger.debug(f"Creating access token with payload keys: {list(payload.keys())}") logger.debug(f"Creating access token with payload keys: {list(payload.keys())}")
# ✅ FIX 2: Use JWT handler to create access token # ✅ FIX 2: Use JWT handler to create access token

3
services/auth/app/services/auth_service.py
View File

@@ -62,6 +62,7 @@ class AuthService:
"full_name": new_user.full_name, "full_name": new_user.full_name,
"is_verified": new_user.is_verified, "is_verified": new_user.is_verified,
"is_active": new_user.is_active, "is_active": new_user.is_active,
"role": new_user.role,
"type": "access" # ✅ Explicitly mark as access token "type": "access" # ✅ Explicitly mark as access token
} }
@@ -184,6 +185,7 @@ class AuthService:
"full_name": user.full_name, "full_name": user.full_name,
"is_verified": user.is_verified, "is_verified": user.is_verified,
"is_active": user.is_active, "is_active": user.is_active,
"role": user.role,
"type": "access" # ✅ Explicitly mark as access token "type": "access" # ✅ Explicitly mark as access token
} }
@@ -345,6 +347,7 @@ class AuthService:
"full_name": user.full_name, "full_name": user.full_name,
"is_verified": user.is_verified, "is_verified": user.is_verified,
"is_active": user.is_active, "is_active": user.is_active,
"role": user.role,
"type": "access" "type": "access"
} }

7
services/tenant/app/api/tenants.py
View File

@@ -301,10 +301,15 @@ async def get_user_tenants(
# Check if this is a service call or admin user # Check if this is a service call or admin user
user_type = current_user.get('type', '') user_type = current_user.get('type', '')
user_role = current_user.get('role', '').lower() user_role = current_user.get('role', '').lower()
service_name = current_user.get('service', '')
logger.info("The user_type and user_role", user_type=user_type, user_role=user_role) logger.info("The user_type and user_role", user_type=user_type, user_role=user_role)
if user_type != 'service' and user_role != 'admin': # ✅ IMPROVED: Accept service tokens OR admin users
is_service_token = (user_type == 'service' or service_name in ['auth', 'admin'])
is_admin_user = (user_role == 'admin')
if not (is_service_token or is_admin_user):
raise HTTPException( raise HTTPException(
status_code=status.HTTP_403_FORBIDDEN, status_code=status.HTTP_403_FORBIDDEN,
detail="Admin role or service authentication required" detail="Admin role or service authentication required"

16
shared/auth/decorators.py
View File

@@ -346,7 +346,7 @@ def extract_user_from_headers(request: Request) -> Optional[Dict[str, Any]]:
if not user_id: if not user_id:
return None return None
return { user_context = {
"user_id": user_id, "user_id": user_id,
"email": request.headers.get("x-user-email", ""), "email": request.headers.get("x-user-email", ""),
"role": request.headers.get("x-user-role", "user"), "role": request.headers.get("x-user-role", "user"),
@@ -355,6 +355,20 @@ def extract_user_from_headers(request: Request) -> Optional[Dict[str, Any]]:
"full_name": request.headers.get("x-user-full-name", "") "full_name": request.headers.get("x-user-full-name", "")
} }
# ✅ ADD THIS: Handle service tokens properly
user_type = request.headers.get("x-user-type", "")
service_name = request.headers.get("x-service-name", "")
if user_type == "service" or service_name:
user_context.update({
"type": "service",
"service": service_name,
"role": "admin", # Service tokens always have admin role
"is_service": True
})
return user_context
def extract_tenant_from_headers(request: Request) -> Optional[str]: def extract_tenant_from_headers(request: Request) -> Optional[str]:
"""Extract tenant ID from headers""" """Extract tenant ID from headers"""
return request.headers.get("x-tenant-id") return request.headers.get("x-tenant-id")

1
shared/clients/base_service_client.py
View File

@@ -44,6 +44,7 @@ class ServiceAuthenticator:
"user_id": f"{self.service_name}-service", "user_id": f"{self.service_name}-service",
"email": f"{self.service_name}-service@internal", "email": f"{self.service_name}-service@internal",
"type": "service", "type": "service",
"role": "admin",
"exp": token_expires_at, "exp": token_expires_at,
"iat": current_time, "iat": current_time,
"iss": f"{self.service_name}-service", "iss": f"{self.service_name}-service",