New token arch

2026-01-10 21:45:37 +01:00
parent cc53037552
commit bf1db7cb9e
26 changed files with 1751 additions and 107 deletions
--- a/services/auth/app/core/security.py
+++ b/services/auth/app/core/security.py
@@ -133,6 +133,24 @@ class SecurityManager:
            else:
                payload["role"] = "admin"  # Default role if not specified
            
+            # NEW: Add subscription data to JWT payload
+            if "tenant_id" in user_data:
+                payload["tenant_id"] = user_data["tenant_id"]
+            
+            if "tenant_role" in user_data:
+                payload["tenant_role"] = user_data["tenant_role"]
+            
+            if "subscription" in user_data:
+                payload["subscription"] = user_data["subscription"]
+            
+            if "tenant_access" in user_data:
+                # Limit tenant_access to 10 entries to prevent JWT size explosion
+                tenant_access = user_data["tenant_access"]
+                if tenant_access and len(tenant_access) > 10:
+                    tenant_access = tenant_access[:10]
+                    logger.warning(f"Truncated tenant_access to 10 entries for user {user_data['user_id']}")
+                payload["tenant_access"] = tenant_access
+            
            logger.debug(f"Creating access token with payload keys: {list(payload.keys())}")
            
            # ✅ FIX 2: Use JWT handler to create access token
@@ -219,6 +237,31 @@ class SecurityManager:
    def generate_secure_hash(data: str) -> str:
        """Generate secure hash for token storage"""
        return hashlib.sha256(data.encode()).hexdigest()
+
+    @staticmethod
+    def create_service_token(service_name: str) -> str:
+        """
+        Create JWT service token for inter-service communication
+        ✅ FIXED: Proper service token creation with JWT
+        """
+        try:
+            # Create service token payload
+            payload = {
+                "sub": service_name,
+                "service": service_name,
+                "type": "service",
+                "role": "admin",
+                "is_service": True
+            }
+            
+            # Use JWT handler to create service token
+            token = jwt_handler.create_service_token(service_name)
+            logger.debug(f"Created service token for {service_name}")
+            return token
+            
+        except Exception as e:
+            logger.error(f"Failed to create service token for {service_name}: {e}")
+            raise ValueError(f"Failed to create service token: {str(e)}")
    
    @staticmethod
    async def track_login_attempt(email: str, ip_address: str, success: bool) -> None: