fix: platform admin authentication and UserContext completeness

Issues fixed: - Platform selection returned LoginResponse requiring user timestamps, but UserContext doesn't have created_at/updated_at. Created dedicated PlatformSelectResponse that returns only token and platform info. - UserContext was missing platform context fields (token_platform_id, token_platform_code). JWT token included them but they weren't extracted into UserContext, causing fallback warnings. - admin_menu_config.py accessed admin_platforms (SQLAlchemy relationship) on UserContext (Pydantic schema). Changed to use accessible_platform_ids. - Static file mount order in main.py caused 404 for locale files. More specific paths (/static/modules/X/locales) must be mounted before less specific paths (/static/modules/X). Changes: - models/schema/auth.py: Add PlatformSelectResponse, token_platform_id, token_platform_code, can_access_platform(), get_accessible_platform_ids() - admin_auth.py: Use PlatformSelectResponse for select-platform endpoint - admin_platform_service.py: Accept User | UserContext in validation - admin_menu_config.py: Use accessible_platform_ids instead of admin_platforms - main.py: Mount locales before static for correct path priority Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-02 22:31:35 +01:00
parent 9a0dd84035
commit b935592430
6 changed files with 344 additions and 20 deletions
--- a/models/schema/auth.py
+++ b/models/schema/auth.py
@@ -39,6 +39,16 @@ class LoginResponse(BaseModel):
    user: UserResponse


+class PlatformSelectResponse(BaseModel):
+    """Response for platform selection (no user data - client already has it)."""
+
+    access_token: str
+    token_type: str = "bearer"
+    expires_in: int
+    platform_id: int
+    platform_code: str
+
+
 class UserDetailResponse(UserResponse):
    """Extended user response with additional details."""

@@ -198,6 +208,10 @@ class UserContext(BaseModel):
    is_super_admin: bool = False
    accessible_platform_ids: list[int] | None = None  # None = all platforms (super admin)

+    # Admin platform context (from JWT token after platform selection)
+    token_platform_id: int | None = None
+    token_platform_code: str | None = None
+
    # Vendor-specific fields (from JWT token)
    token_vendor_id: int | None = None
    token_vendor_code: str | None = None
@@ -227,6 +241,28 @@ class UserContext(BaseModel):
        """Check if user is a vendor."""
        return self.role == "vendor"

+    def can_access_platform(self, platform_id: int) -> bool:
+        """
+        Check if user can access a specific platform.
+
+        Super admins (accessible_platform_ids=None) can access all platforms.
+        Platform admins can only access their assigned platforms.
+        """
+        if self.is_super_admin:
+            return True
+        if self.accessible_platform_ids is None:
+            return True  # Super admin fallback
+        return platform_id in self.accessible_platform_ids
+
+    def get_accessible_platform_ids(self) -> list[int] | None:
+        """
+        Get list of platform IDs this user can access.
+
+        Returns None for super admins (all platforms accessible).
+        Returns list of platform IDs for platform admins.
+        """
+        return self.accessible_platform_ids
+
    @classmethod
    def from_user(cls, user, include_vendor_context: bool = True) -> "UserContext":
        """
@@ -262,6 +298,10 @@ class UserContext(BaseModel):
                    ap.platform_id for ap in admin_platforms if ap.is_active
                ]

+        # Add platform context from JWT token (for platform admins after selection)
+        data["token_platform_id"] = getattr(user, "token_platform_id", None)
+        data["token_platform_code"] = getattr(user, "token_platform_code", None)
+
        # Add vendor context from JWT token if present
        if include_vendor_context:
            data["token_vendor_id"] = getattr(user, "token_vendor_id", None)