Add l2_server claim to JWT tokens for L1 verification

L1 needs to know which L2 server issued the token so it can verify the token with the correct server. Now tokens include: - l2_server: The L2 server URL (e.g., https://artdag.rose-ash.com) - username: Also include username for compatibility (in addition to sub) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-08 17:10:33 +00:00
parent a4c6efd154
commit 5eb525d107
2 changed files with 17 additions and 6 deletions
--- a/server.py
+++ b/server.py
@@ -329,7 +329,7 @@ async def ui_login_submit(request: Request):
    if not user:
        return HTMLResponse('<div class="bg-red-900/50 border border-red-700 text-red-300 px-4 py-3 rounded-lg mb-4">Invalid username or password</div>')

-    token = create_access_token(user.username)
+    token = create_access_token(user.username, l2_server=f"https://{DOMAIN}")

    response = HTMLResponse(f'''
        <div class="bg-green-900/50 border border-green-700 text-green-300 px-4 py-3 rounded-lg mb-4">Login successful! Redirecting...</div>
@@ -413,7 +413,7 @@ async def ui_register_submit(request: Request):
    except ValueError as e:
        return HTMLResponse(f'<div class="bg-red-900/50 border border-red-700 text-red-300 px-4 py-3 rounded-lg mb-4">{str(e)}</div>')

-    token = create_access_token(user.username)
+    token = create_access_token(user.username, l2_server=f"https://{DOMAIN}")

    response = HTMLResponse(f'''
        <div class="bg-green-900/50 border border-green-700 text-green-300 px-4 py-3 rounded-lg mb-4">Registration successful! Redirecting...</div>
@@ -1129,7 +1129,7 @@ async def register(req: UserCreate):
    except ValueError as e:
        raise HTTPException(400, str(e))

-    return create_access_token(user.username)
+    return create_access_token(user.username, l2_server=f"https://{DOMAIN}")


@app.post("/auth/login", response_model=Token)
@@ -1139,7 +1139,7 @@ async def login(req: UserLogin):
    if not user:
        raise HTTPException(401, "Invalid username or password")

-    return create_access_token(user.username)
+    return create_access_token(user.username, l2_server=f"https://{DOMAIN}")


@app.get("/auth/me")