AegisSight/AegisSight-Monitor
3
0
Fork 0
Code Issues Pull-Requests Actions Pakete Projekte Releases Wiki Aktivität
Dateien
c22ae854fe68c1bd7148b7e393dca5025d375eb5
AegisSight-Monitor/src/auth.py
Claude Dev c22ae854fe feat: Global-Admin Org-Switcher fuer info@aegis-sight.de 
Ermoeglicht dem Global Admin (is_global_admin Flag) zwischen
Organisationen zu wechseln. Neue Endpoints: GET /api/auth/organizations,
POST /api/auth/switch-org. Org-Dropdown im Header-Menue, nur fuer
Global Admin sichtbar. Komplett herausnehmbar (Flag + Code-Bloecke).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-08 22:25:41 +02:00

82 Zeilen
2.3 KiB
Python
Originalformat Blame Verlauf

"""JWT-Authentifizierung mit Magic-Link-Support und Multi-Tenancy."""
import secrets
from datetime import datetime, timedelta
from jose import jwt, JWTError
from fastapi import Depends, HTTPException, status
from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
from config import get_jwt_secret, JWT_ALGORITHM, JWT_EXPIRE_HOURS, TIMEZONE
security = HTTPBearer()
JWT_ISSUER = "intelsight-osint"
JWT_AUDIENCE = "intelsight-osint"
def create_token(
user_id: int,
username: str,
email: str,
role: str = "member",
tenant_id: int = None,
org_slug: str = None,
is_global_admin: bool = False,
) -> str:
"""JWT-Token erstellen mit Tenant-Kontext."""
now = datetime.now(TIMEZONE)
expire = now + timedelta(hours=JWT_EXPIRE_HOURS)
payload = {
"sub": str(user_id),
"username": username,
"email": email,
"role": role,
"tenant_id": tenant_id,
"org_slug": org_slug,
"is_global_admin": is_global_admin,
"iss": JWT_ISSUER,
"aud": JWT_AUDIENCE,
"iat": now,
"exp": expire,
}
return jwt.encode(payload, get_jwt_secret(), algorithm=JWT_ALGORITHM)
def decode_token(token: str) -> dict:
"""JWT-Token dekodieren und validieren."""
try:
payload = jwt.decode(
token,
get_jwt_secret(),
algorithms=[JWT_ALGORITHM],
issuer=JWT_ISSUER,
audience=JWT_AUDIENCE,
)
return payload
except JWTError:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Token ungueltig oder abgelaufen",
)
async def get_current_user(
credentials: HTTPAuthorizationCredentials = Depends(security),
) -> dict:
"""FastAPI Dependency: Aktuellen Nutzer aus Token extrahieren."""
payload = decode_token(credentials.credentials)
return {
"id": int(payload["sub"]),
"username": payload["username"],
"email": payload.get("email", ""),
"role": payload.get("role", "member"),
"tenant_id": payload.get("tenant_id"),
"org_slug": payload.get("org_slug"),
"is_global_admin": payload.get("is_global_admin", False),
}
def generate_magic_token() -> str:
"""Generiert einen 64-Zeichen URL-safe Token."""
return secrets.token_urlsafe(48)
In neuem Issue referenzieren Git Blame ansehen Permalink kopieren