84326352b2
Lifted JWT-cookie auth pattern from the AI QC sibling project: core/auth/middleware.py validates Azure AD JWTs and stores them in an httpOnly cookie (hm_aiqc_auth_token). Tenant membership is enforced by JWTValidator's tid check, which is sufficient for the tenant-wide access policy chosen for this project. templates/login.html now drives an MSAL.js popup that POSTs the ID token to /auth/login. base.html exposes Azure config to all pages so the logout button can also clear the MSAL session. app.py's @before_request now checks the JWT cookie and exposes g.user; modules read user identity via core.auth.current_user_email so usage logs and created_by columns now record the signed-in user's email rather than a session value. Legacy username/password code removed: top-level auth_middleware.py, jwt_validator.py, deploy/generate_password.py. |
||
|---|---|---|
| .. | ||
| auth | ||
| health | ||
| models | ||
| services | ||
| utils | ||
| __init__.py | ||