diff --git a/api/apps/__init__.py b/api/apps/__init__.py index 172d907fe..913995411 100644 --- a/api/apps/__init__.py +++ b/api/apps/__init__.py @@ -99,66 +99,57 @@ def _load_user(): if not authorization: return None + # Extract auth_token based on whether Authorization starts with "bearer" (case-insensitive) + if authorization.lower().startswith("bearer "): + parts = authorization.split(maxsplit=1) + if len(parts) < 2: + logging.warning("Authorization header has invalid bearer format") + return None + auth_token = parts[1] + else: + auth_token = authorization + + # Try JWT decoding try: - access_token = str(jwt.loads(authorization)) + access_token = str(jwt.loads(auth_token)) if not access_token or not access_token.strip(): logging.warning("Authentication attempt with empty access token") return None - # Access tokens should be UUIDs (32 hex characters) if len(access_token.strip()) < 32: logging.warning(f"Authentication attempt with invalid token format: {len(access_token)} chars") return None - user = UserService.query( - access_token=access_token, status=StatusEnum.VALID.value - ) + user = UserService.query(access_token=access_token, status=StatusEnum.VALID.value) if user: if not user[0].access_token or not user[0].access_token.strip(): logging.warning(f"User {user[0].email} has empty access_token in database") return None g.user = user[0] return user[0] - except Exception as e_auth: - logging.warning(f"load_user from jwt got exception {e_auth}") - try: - authorization = request.headers.get("Authorization") - if len(authorization.split()) == 2: - token = authorization.split()[1] - objs = APIToken.query(token=token) - if objs: - user = UserService.query(id=objs[0].tenant_id, status=StatusEnum.VALID.value) - if user: - if not user[0].access_token or not user[0].access_token.strip(): - logging.warning(f"User {user[0].email} has empty access_token in database") - return None - g.user = user[0] - return user[0] - else: - logging.warning(f"load_user: No user found for tenant_id={objs[0].tenant_id} from APIToken") - else: - logging.warning(f"load_user: No APIToken found for token={token[:10]}...") - except Exception as e_api_token: - logging.warning(f"load_user from api token got exception {e_api_token}") - # Fallback: try raw authorization value as access_token (for login tokens sent without JWT) - try: - authorization = request.headers.get("Authorization") - if authorization and len(authorization.split()) == 1: - # Single value without "Bearer " prefix - try as raw access_token - access_token = authorization.strip() - if access_token and len(access_token) >= 32: - user = UserService.query( - access_token=access_token, status=StatusEnum.VALID.value - ) - if user: - if not user[0].access_token or not user[0].access_token.strip(): - logging.warning(f"User {user[0].email} has empty access_token in database") - return None - g.user = user[0] - return user[0] - except Exception as e_raw_token: - logging.warning(f"load_user raw token fallback got exception {e_raw_token}") + return None + except Exception as e_jwt: + logging.warning(f"load_user from jwt got exception {e_jwt}") + + # JWT decode failed, try as api_token + try: + objs = APIToken.query(token=auth_token) + if objs: + user = UserService.query(id=objs[0].tenant_id, status=StatusEnum.VALID.value) + if user: + if not user[0].access_token or not user[0].access_token.strip(): + logging.warning(f"User {user[0].email} has empty access_token in database") + return None + g.user = user[0] + return user[0] + logging.warning(f"load_user: No user found for tenant_id={objs[0].tenant_id} from APIToken") + else: + logging.warning(f"load_user: No APIToken found for token={auth_token[:10]}...") + except Exception as e_api_token: + logging.warning(f"load_user from api token got exception {e_api_token}") + + return None current_user = LocalProxy(_load_user) diff --git a/web/src/utils/authorization-util.ts b/web/src/utils/authorization-util.ts index c527b0c9b..e25e4915f 100644 --- a/web/src/utils/authorization-util.ts +++ b/web/src/utils/authorization-util.ts @@ -48,11 +48,6 @@ const storage = { }; export const getAuthorization = () => { - const jwtAuth = getSearchValue('jwt_auth'); - if (jwtAuth) { - return jwtAuth; - } - const auth = getSearchValue('auth'); const authorization = auth ? 'Bearer ' + auth