feat(security): implement safe guest auth flow and harden request_jwt

- Patched request_jwt to strip privileged IDs when signing with public keys - Updated AccountContext and V3 dependencies to preserve JWT payloads for guests - Whitelisted Archive, Post, Event, and other core objects for public read access - Added 'default_qry_str' to Event searchable fields - Added test_e2e_jwt_guest_auth.py for security verification
2026-01-20 14:56:56 -05:00
parent 8a22ac324c
commit dc7732ab5f
11 changed files with 179 additions and 16 deletions
--- a/app/routers/dependencies_v3.py
+++ b/app/routers/dependencies_v3.py
@@ -26,6 +26,7 @@ def get_account_context_optional(

    resolved_account_id = None
    resolved_account_id_random = None
+    resolved_token_payload = None
    auth_method = 'guest'
    api_key_authorized = False

@@ -61,6 +62,9 @@ def get_account_context_optional(
            # Check if it's a real JWT (contains dots)
            if '.' in x_no_account_id_token:
                if decoded := decode_jwt(secret_key=settings.JWT_KEY, token=x_no_account_id_token):
+                    # Capture the full payload for session context (even for guests)
+                    resolved_token_payload = decoded
+                    
                    # In Aether, JWTs store the RANDOM string IDs to prevent exposure
                    resolved_account_id_random = decoded.get('account_id')
                    if resolved_account_id_random:
@@ -72,10 +76,12 @@ def get_account_context_optional(
            
            # Legacy Fallback (just a raw random ID string)
            if auth_method == 'guest':
-                resolved_account_id_random = x_no_account_id_token
-                if looked_up_id := redis_lookup_id_random(table_name='account', record_id_random=x_no_account_id_token):
-                    resolved_account_id = looked_up_id
-                    auth_method = 'token_query'
+                # Only treat as random ID if it looks like one (not a malformed JWT)
+                if '.' not in x_no_account_id_token:
+                    resolved_account_id_random = x_no_account_id_token
+                    if looked_up_id := redis_lookup_id_random(table_name='account', record_id_random=x_no_account_id_token):
+                        resolved_account_id = looked_up_id
+                        auth_method = 'token_query'

        # C. Resolve via Administrative Bypass
        elif x_no_account_id and x_no_account_id.lower() not in ['false', '0', 'null', 'undefined', 'none', 'no_account_id_here']:
@@ -89,7 +95,8 @@ def get_account_context_optional(
        auth_method=auth_method,
        administrator=(auth_method == 'bypass'),
        manager=(auth_method == 'bypass'),
-        super=(auth_method == 'bypass')
+        super=(auth_method == 'bypass'),
+        token_payload=resolved_token_payload
    )

 def get_account_context(