From 870d2908124f0cab67795a331ef362184cf6cb1f Mon Sep 17 00:00:00 2001 From: Thonyk Date: Fri, 19 Dec 2025 19:16:40 +0100 Subject: [PATCH 1/2] feat: extend jwt data --- app/core/auth/endpoints_auth.py | 7 ++++++- app/core/auth/schemas_auth.py | 3 +++ app/core/utils/security.py | 2 +- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/app/core/auth/endpoints_auth.py b/app/core/auth/endpoints_auth.py index 6dcdfb97d7..3d9fb48a96 100644 --- a/app/core/auth/endpoints_auth.py +++ b/app/core/auth/endpoints_auth.py @@ -87,7 +87,12 @@ async def login_for_access_token( ) # We put the user id in the subject field of the token. # The subject `sub` is a JWT registered claim name, see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1 - data = schemas_auth.TokenData(sub=user.id, scopes=ScopeType.auth) + data = schemas_auth.TokenData( + sub=user.id, + scopes=ScopeType.auth, + account_type=user.account_type, + group_ids=[group.id for group in user.groups], + ) access_token = create_access_token(settings=settings, data=data) return {"access_token": access_token, "token_type": "bearer"} diff --git a/app/core/auth/schemas_auth.py b/app/core/auth/schemas_auth.py index 978d3fd148..f5bedea2f7 100644 --- a/app/core/auth/schemas_auth.py +++ b/app/core/auth/schemas_auth.py @@ -6,6 +6,7 @@ from fastapi import Form from pydantic import BaseModel, field_validator +from app.core.groups.groups_type import AccountType from app.utils import validators from app.utils.examples import examples_auth @@ -93,6 +94,8 @@ class AccessToken(BaseModel): class TokenData(BaseModel): sub: str # Subject: the user id + account_type: AccountType + group_ids: list[str] iss: str | None = None aud: str | None = None cid: str | None = None # The client_id of the service which receives the token diff --git a/app/core/utils/security.py b/app/core/utils/security.py index 77bbc6d370..cc83cd2e8b 100644 --- a/app/core/utils/security.py +++ b/app/core/utils/security.py @@ -109,7 +109,7 @@ def create_access_token( if expires_delta is None: # We use the default value expires_delta = timedelta(minutes=settings.ACCESS_TOKEN_EXPIRE_MINUTES) - to_encode = data.model_dump(exclude_none=True) + to_encode = data.model_dump(exclude_none=True, mode="json") iat = datetime.now(UTC) expire_on = datetime.now(UTC) + expires_delta to_encode.update({"exp": expire_on, "iat": iat}) From 3725eab183e2a768268c041091fde397a74492f6 Mon Sep 17 00:00:00 2001 From: Thonyk Date: Fri, 19 Dec 2025 22:11:20 +0100 Subject: [PATCH 2/2] fix: test and token --- app/core/auth/endpoints_auth.py | 4 ++++ app/core/auth/schemas_auth.py | 4 ++-- tests/commons.py | 7 ++++++- 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/app/core/auth/endpoints_auth.py b/app/core/auth/endpoints_auth.py index 3d9fb48a96..0eb62e5194 100644 --- a/app/core/auth/endpoints_auth.py +++ b/app/core/auth/endpoints_auth.py @@ -913,6 +913,10 @@ async def create_response_body( status_code=500, detail="Could not find user when trying the get userinfo but it should exist", ) + id_token_data.account_type = user.account_type + access_token_data.account_type = user.account_type + id_token_data.group_ids = [group.id for group in user.groups] + access_token_data.group_ids = [group.id for group in user.groups] additional_data = auth_client.get_userinfo(user=user) id_token = create_access_token_RS256( diff --git a/app/core/auth/schemas_auth.py b/app/core/auth/schemas_auth.py index f5bedea2f7..588aa3c8e0 100644 --- a/app/core/auth/schemas_auth.py +++ b/app/core/auth/schemas_auth.py @@ -94,8 +94,8 @@ class AccessToken(BaseModel): class TokenData(BaseModel): sub: str # Subject: the user id - account_type: AccountType - group_ids: list[str] + account_type: AccountType | None = None + group_ids: list[str] | None = None iss: str | None = None aud: str | None = None cid: str | None = None # The client_id of the service which receives the token diff --git a/tests/commons.py b/tests/commons.py index 855d2429b4..851bd2dae3 100644 --- a/tests/commons.py +++ b/tests/commons.py @@ -239,7 +239,12 @@ def create_api_access_token( Create a JWT access token for the `user` with the scope `API` """ - access_token_data = schemas_auth.TokenData(sub=user.id, scopes="API") + access_token_data = schemas_auth.TokenData( + sub=user.id, + scopes="API", + account_type=user.account_type, + group_ids=[group.id for group in user.groups], + ) return security.create_access_token( data=access_token_data, settings=override_get_settings(),