feat(auth): consolidate and secure V3 authentication flow

- Re-apply safe guest auth and passcode-to-JWT endpoint - Consolidate AccountContext with token_payload and role flags - Restore documentation for new guest flows and public read whitelists - Fix 403 error in get_obj_li by allowing optional account context
2026-01-20 18:42:43 -05:00
parent d4e46a4a97
commit 43ac62b561
5 changed files with 392 additions and 28 deletions
--- a/app/routers/dependencies_v3.py
+++ b/app/routers/dependencies_v3.py
@@ -55,7 +55,7 @@ def get_account_context_optional(
            resolved_account_id_random = x_account_id
            if looked_up_id := redis_lookup_id_random(table_name='account', record_id_random=x_account_id):
                resolved_account_id = looked_up_id
-                auth_method = 'legacy_header'
+                auth_method = 'account_header'
        
        # B. Resolve via JWT / Token Query Param
        elif x_no_account_id_token:
@@ -76,16 +76,14 @@ def get_account_context_optional(
            
            # Legacy Fallback (just a raw random ID string)
            if auth_method == 'guest':
-                # Only treat as random ID if it looks like one (not a malformed JWT)
-                if '.' not in x_no_account_id_token:
-                    resolved_account_id_random = x_no_account_id_token
-                    if looked_up_id := redis_lookup_id_random(table_name='account', record_id_random=x_no_account_id_token):
-                        resolved_account_id = looked_up_id
-                        auth_method = 'token_query'
+                resolved_account_id_random = x_no_account_id_token
+                if looked_up_id := redis_lookup_id_random(table_name='account', record_id_random=x_no_account_id_token):
+                    resolved_account_id = looked_up_id
+                    auth_method = 'token_query'

        # C. Resolve via Administrative Bypass
        elif x_no_account_id and x_no_account_id.lower() not in ['false', '0', 'null', 'undefined', 'none', 'no_account_id_here']:
-            resolved_account_id = None
+            resolved_account_id = 1
            resolved_account_id_random = '--- NO ACCOUNT ---'
            auth_method = 'bypass'