feat: implement customer authentication with JWT tokens

Implement secure customer authentication system with dedicated JWT tokens, separate from admin/vendor authentication. Backend Changes: - Add customer JWT token support in deps.py - New get_current_customer_from_cookie_or_header dependency - Validates customer-specific tokens with type checking - Returns Customer object instead of User for shop routes - Extend AuthService with customer token support - Add verify_password() method - Add create_access_token_with_data() for custom token payloads - Update CustomerService authentication - Generate customer-specific JWT tokens with type="customer" - Use vendor-scoped customer lookup - Enhance exception handler - Sanitize validation errors to prevent password leaks in logs - Fix shop login redirect to support multi-access routing - Improve vendor context detection from Referer header - Consistent "path" detection method for cookie path logic Schema Changes: - Rename UserLogin.username to email_or_username for flexibility - Update field validators accordingly API Changes: - Update admin/vendor auth endpoints to use email_or_username - Customer auth already uses email field correctly Route Changes: - Update shop account routes to use Customer dependency - Add /account redirect (without trailing slash) - Change parameter names from current_user to current_customer Frontend Changes: - Update login forms to use email_or_username in API calls - Change button text from "Log in" to "Sign in" for consistency - Improve loading spinner layout with flexbox Security Improvements: - Customer tokens scoped to vendor_id - Token type validation prevents cross-context token usage - Password inputs redacted from validation error logs 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-25 21:08:49 +01:00
parent 1f2ccb4668
commit 6735d99df2
13 changed files with 219 additions and 81 deletions
--- a/middleware/vendor_context.py
+++ b/middleware/vendor_context.py
@@ -256,13 +256,18 @@ class VendorContextManager:
                path_parts = referer_path[len(prefix):].split("/")
                if len(path_parts) >= 1 and path_parts[0]:
                    vendor_code = path_parts[0]
+                    prefix_len = len(prefix)
                    logger.debug(
                        f"[VENDOR] Extracted vendor from Referer path: {vendor_code}",
                        extra={"vendor_code": vendor_code, "method": "referer_path"}
                    )
+                    # Use "path" as detection_method to be consistent with direct path detection
+                    # This allows cookie path logic to work the same way
                    return {
                        "subdomain": vendor_code,
-                        "detection_method": "referer_path",
+                        "detection_method": "path",  # Consistent with direct path detection
+                        "path_prefix": referer_path[:prefix_len + len(vendor_code)],  # /vendor/vendor1
+                        "full_prefix": prefix,  # /vendor/ or /vendors/
                        "host": referer_host,
                        "referer": referer,
                    }