from flask import Blueprint, request, make_response, current_app import jwt bp = Blueprint('api', __name__, url_prefix='/api') @bp.route('/verify-token') def verify_token(): """ Called internally by nginx auth_request. Reads the platform JWT cookie, verifies it, and returns 200 with user identity headers on success, or 401/403 on failure. """ token = request.cookies.get(current_app.config['PORTAL_COOKIE_NAME']) if not token: return '', 401 try: payload = jwt.decode( token, current_app.config['PORTAL_JWT_SECRET'], algorithms=['HS256'], options={'require': ['exp', 'sub', 'user_id']}, ) except jwt.ExpiredSignatureError: return '', 401 except jwt.InvalidTokenError: return '', 401 # Per-app access check based on the original request URI original_uri = request.headers.get('X-Original-URI', '') required_app = _app_from_uri(original_uri) user_id = payload.get('user_id') portal_role = payload.get('role', 'user') if required_app: user_apps = payload.get('apps', []) if required_app not in user_apps: return '', 403 # Resolve the effective role for this specific app. # If the admin has set a per-app role override in AppAccess, use that; # otherwise fall back to the portal-level role from the JWT. effective_role = portal_role if required_app and user_id: try: from app.models.app_access import AppAccess access = AppAccess.query.filter_by( user_id=user_id, app_name=required_app, is_active=True ).first() if access and access.app_role: effective_role = access.app_role except Exception: pass # fall back to portal role resp = make_response('', 200) resp.headers['X-Auth-User-Id'] = str(user_id or '') resp.headers['X-Auth-Username'] = payload.get('sub', '') resp.headers['X-Auth-Role'] = effective_role return resp def _app_from_uri(uri): if uri.startswith('/digiserver/'): return 'digiserver' if uri.startswith('/itassets/'): return 'itassets' if uri.startswith('/networkview/'): return 'networkview' if uri.startswith('/srvmonitor/'): return 'srvmonitor' return None