updates

2025-12-07 01:28:03 +02:00
parent 5a8ca3c475
commit 876af48145
31 changed files with 914 additions and 110 deletions
--- a/Backend/src/payments/routes/pycache/accountant_security_routes.cpython-312.pyc
+++ b/Backend/src/payments/routes/pycache/accountant_security_routes.cpython-312.pyc
--- a/Backend/src/payments/routes/accountant_security_routes.py
+++ b/Backend/src/payments/routes/accountant_security_routes.py
@@ -26,6 +26,8 @@ async def verify_step_up(
 ):
    """Verify step-up authentication (MFA token or password re-entry)."""
    try:
+        from ..models.accountant_session import AccountantSession
+        
        mfa_token = step_up_data.get('mfa_token')
        password = step_up_data.get('password')
        session_token = step_up_data.get('session_token')
@@ -34,8 +36,18 @@ async def verify_step_up(
            # Try to get from header or cookie
            session_token = request.headers.get('X-Session-Token') or request.cookies.get('session_token')
        
+        # If still no session token, try to find the most recent active session for this user
        if not session_token:
-            raise HTTPException(status_code=400, detail='Session token is required')
+            active_session = db.query(AccountantSession).filter(
+                AccountantSession.user_id == current_user.id,
+                AccountantSession.is_active == True,
+                AccountantSession.expires_at > datetime.utcnow()
+            ).order_by(AccountantSession.last_activity.desc()).first()
+            
+            if active_session:
+                session_token = active_session.session_token
+            else:
+                raise HTTPException(status_code=400, detail='No active session found. Please log in again.')
        
        # Verify MFA if token provided
        if mfa_token:
--- a/Backend/src/payments/services/pycache/accountant_security_service.cpython-312.pyc
+++ b/Backend/src/payments/services/pycache/accountant_security_service.cpython-312.pyc
--- a/Backend/src/payments/services/accountant_security_service.py
+++ b/Backend/src/payments/services/accountant_security_service.py
@@ -126,8 +126,18 @@ class AccountantSecurityService:
        Check if step-up authentication is required.
        Returns (requires_step_up: bool, reason: str | None)
        """
+        # If no session token provided, try to find the most recent active session for this user
        if not session_token:
-            return True, "Step-up authentication required for this action"
+            active_session = db.query(AccountantSession).filter(
+                AccountantSession.user_id == user_id,
+                AccountantSession.is_active == True,
+                AccountantSession.expires_at > datetime.utcnow()
+            ).order_by(AccountantSession.last_activity.desc()).first()
+            
+            if active_session:
+                session_token = active_session.session_token
+            else:
+                return True, "Step-up authentication required for this action"
        
        session = AccountantSecurityService.validate_session(db, session_token, update_activity=False)
        if not session:
@@ -167,6 +177,8 @@ class AccountantSecurityService:
            minutes=AccountantSecurityService.STEP_UP_VALIDITY_MINUTES
        )
        
+        # Use flush to ensure changes are visible in the same transaction
+        # The route handler will commit
        db.flush()
        return True