Initial commit: enterprise digital platform with portal SSO, DigiServer, IT Assets, NetworkView, Server Monitor

2026-05-10 21:07:50 +03:00
commit 8d9df56b0b
364 changed files with 73655 additions and 0 deletions
@@ -0,0 +1,70 @@
+from flask import Blueprint, request, make_response, current_app
+import jwt
+
+bp = Blueprint('api', __name__, url_prefix='/api')
+
+
+@bp.route('/verify-token')
+def verify_token():
+    """
+    Called internally by nginx auth_request.
+    Reads the platform JWT cookie, verifies it, and returns 200 with user
+    identity headers on success, or 401/403 on failure.
+    """
+    token = request.cookies.get(current_app.config['PORTAL_COOKIE_NAME'])
+    if not token:
+        return '', 401
+
+    try:
+        payload = jwt.decode(
+            token,
+            current_app.config['PORTAL_JWT_SECRET'],
+            algorithms=['HS256'],
+            options={'require': ['exp', 'sub', 'user_id']},
+        )
+    except jwt.ExpiredSignatureError:
+        return '', 401
+    except jwt.InvalidTokenError:
+        return '', 401
+
+    # Per-app access check based on the original request URI
+    original_uri = request.headers.get('X-Original-URI', '')
+    required_app = _app_from_uri(original_uri)
+    user_id = payload.get('user_id')
+    portal_role = payload.get('role', 'user')
+
+    if required_app:
+        user_apps = payload.get('apps', [])
+        if required_app not in user_apps:
+            return '', 403
+
+    # Resolve the effective role for this specific app.
+    # If the admin has set a per-app role override in AppAccess, use that;
+    # otherwise fall back to the portal-level role from the JWT.
+    effective_role = portal_role
+    if required_app and user_id:
+        try:
+            from app.models.app_access import AppAccess
+            access = AppAccess.query.filter_by(
+                user_id=user_id, app_name=required_app, is_active=True
+            ).first()
+            if access and access.app_role:
+                effective_role = access.app_role
+        except Exception:
+            pass  # fall back to portal role
+
+    resp = make_response('', 200)
+    resp.headers['X-Auth-User-Id'] = str(user_id or '')
+    resp.headers['X-Auth-Username'] = payload.get('sub', '')
+    resp.headers['X-Auth-Role'] = effective_role
+    return resp
+
+
+def _app_from_uri(uri):
+    if uri.startswith('/digiserver/'):
+        return 'digiserver'
+    if uri.startswith('/itassets/'):
+        return 'itassets'
+    if uri.startswith('/networkview/'):
+        return 'networkview'
+    return None