IA-3516 Adapt the token API to multi-account users

If a user request a token to api/token we should look if that user has a tenant_user for the account corresponding to the app_id in the url, and if it’s the case, send a token for that tenant_user on that account instead of the token for the login user.
BLSQ · Oct 15, 2024 · e0c667f · e0c667f
1 parent fdf32f5
commit e0c667f
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 2 deletions.
diff --git a/hat/settings.py b/hat/settings.py
@@ -414,7 +414,11 @@ def is_superuser(u):
     ),
 }
 
-SIMPLE_JWT = {"ACCESS_TOKEN_LIFETIME": timedelta(days=3650), "REFRESH_TOKEN_LIFETIME": timedelta(days=3651)}
+SIMPLE_JWT = {
+    "ACCESS_TOKEN_LIFETIME": timedelta(days=3650),
+    "REFRESH_TOKEN_LIFETIME": timedelta(days=3651),
+    "TOKEN_OBTAIN_SERIALIZER": "iaso.serializers.CustomTokenObtainPairSerializer",
+}
 
 AWS_S3_REGION_NAME = os.getenv("AWS_S3_REGION_NAME", "eu-central-1")
 AWS_ACCESS_KEY_ID = os.getenv("AWS_ACCESS_KEY_ID")

diff --git a/iaso/api/profiles/profiles.py b/iaso/api/profiles/profiles.py
@@ -356,7 +356,7 @@ def retrieve(self, request, *args, **kwargs):
         pk = kwargs.get("pk")
         if pk == PK_ME:
             # if the user is a main_user, login as an account user
-            # TODO: remember the last account_user
+            # TODO: This is not a clean side-effect and should be improved.
             if request.user.tenant_users.exists():
                 account_user = request.user.tenant_users.first().account_user
                 account_user.backend = "django.contrib.auth.backends.ModelBackend"

diff --git a/iaso/serializers.py b/iaso/serializers.py
@@ -0,0 +1,35 @@
+from django.contrib.auth.models import User
+
+from rest_framework_simplejwt.serializers import TokenObtainPairSerializer
+
+from iaso.models import Project
+
+
+class CustomTokenObtainPairSerializer(TokenObtainPairSerializer):
+    def validate(self, attrs):
+        """
+        Override this method to be able to take into account the app_id query param.
+
+        If the user is a multi-account user, we return a token for the correct
+        "account user" (based on the `app_id`) instead of the main user that was
+        used for logging in.
+        """
+        data = super().validate(attrs)
+
+        if self.user.tenant_users.exists():
+            request = self.context.get("request")
+            if request:
+                app_id = request.query_params.get("app_id", None)
+                project = Project.objects.get(app_id=app_id)
+
+                account_user = User.objects.filter(
+                    tenant_user__main_user=self.user,
+                    iaso_profile__account=project.account,
+                ).first()
+
+                refresh = self.get_token(account_user)
+
+                data["refresh"] = str(refresh)
+                data["access"] = str(refresh.access_token)
+
+        return data