Add l2_server claim to JWT tokens for L1 verification

L1 needs to know which L2 server issued the token so it can verify the token with the correct server. Now tokens include: - l2_server: The L2 server URL (e.g., https://artdag.rose-ash.com) - username: Also include username for compatibility (in addition to sub) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-08 17:10:33 +00:00
parent a4c6efd154
commit 5eb525d107
2 changed files with 17 additions and 6 deletions
--- a/auth.py
+++ b/auth.py
@@ -135,16 +135,27 @@ async def authenticate_user(data_dir: Path, username: str, password: str) -> Opt
    )


-def create_access_token(username: str) -> Token:
-    """Create a JWT access token."""
+def create_access_token(username: str, l2_server: str = None) -> Token:
+    """Create a JWT access token.
+
+    Args:
+        username: The username
+        l2_server: The L2 server URL (e.g., https://artdag.rose-ash.com)
+                   Required for L1 to verify tokens with the correct L2.
+    """
    expires = datetime.now(timezone.utc) + timedelta(days=ACCESS_TOKEN_EXPIRE_DAYS)

    payload = {
        "sub": username,
+        "username": username,  # Also include as username for compatibility
        "exp": expires,
        "iat": datetime.now(timezone.utc)
    }

+    # Include l2_server so L1 knows which L2 to verify with
+    if l2_server:
+        payload["l2_server"] = l2_server
+
    token = jwt.encode(payload, SECRET_KEY, algorithm=ALGORITHM)

    return Token(