enterprise_digital-platform/portal/app/routes/api.py

from flask import Blueprint, request, make_response, current_app
import jwt

bp = Blueprint('api', __name__, url_prefix='/api')


@bp.route('/verify-token')
def verify_token():
    """
    Called internally by nginx auth_request.
    Reads the platform JWT cookie, verifies it, and returns 200 with user
    identity headers on success, or 401/403 on failure.
    """
    token = request.cookies.get(current_app.config['PORTAL_COOKIE_NAME'])
    if not token:
        return '', 401

    try:
        payload = jwt.decode(
            token,
            current_app.config['PORTAL_JWT_SECRET'],
            algorithms=['HS256'],
            options={'require': ['exp', 'sub', 'user_id']},
        )
    except jwt.ExpiredSignatureError:
        return '', 401
    except jwt.InvalidTokenError:
        return '', 401

    # Per-app access check based on the original request URI
    original_uri = request.headers.get('X-Original-URI', '')
    required_app = _app_from_uri(original_uri)
    user_id = payload.get('user_id')
    portal_role = payload.get('role', 'user')

    if required_app:
        user_apps = payload.get('apps', [])
        if required_app not in user_apps:
            return '', 403

    # Resolve the effective role for this specific app.
    # If the admin has set a per-app role override in AppAccess, use that;
    # otherwise fall back to the portal-level role from the JWT.
    effective_role = portal_role
    if required_app and user_id:
        try:
            from app.models.app_access import AppAccess
            access = AppAccess.query.filter_by(
                user_id=user_id, app_name=required_app, is_active=True
            ).first()
            if access and access.app_role:
                effective_role = access.app_role
        except Exception:
            pass  # fall back to portal role

    resp = make_response('', 200)
    resp.headers['X-Auth-User-Id'] = str(user_id or '')
    resp.headers['X-Auth-Username'] = payload.get('sub', '')
    resp.headers['X-Auth-Role'] = effective_role
    return resp


def _app_from_uri(uri):
    if uri.startswith('/digiserver/'):
        return 'digiserver'
    if uri.startswith('/itassets/'):
        return 'itassets'
    if uri.startswith('/networkview/'):
        return 'networkview'
    if uri.startswith('/srvmonitor/'):
        return 'srvmonitor'
    return None