fix(auth): align data db structure with funcs (reanahub#741)

Author: tomondre

reana_server/oauth.py

@@ -47,11 +47,12 @@ def fetch_user_info(token: str) -> UserInfo:
         raise ValueError(f"Error communicating with IdP: {str(e)}")
 
 
-def create_or_update_user(idp_id: str, user_info: Dict) -> User:
+def create_or_update_user(sub: str, iss: str, user_info: Dict) -> User:
     """Create or update user record with information from IdP.
 
     Args:
-        idp_id: Subject identifier from IdP
+        sub: Subject identifier from IdP
+        iss: Issuer identifier from IdP
         user_info: User information from IdP's UserInfo endpoint
 
     Returns:
@@ -65,16 +66,18 @@ def create_or_update_user(idp_id: str, user_info: Dict) -> User:
         if not email:
             raise ValueError("Email is required in UserInfo response from IdP")
 
-        user = Session.query(User).filter_by(idp_id=idp_id).one_or_none()
+        user = Session.query(User).filter_by(idp_subject=sub, idp_issuer=iss).one_or_none()
 
         if not user:
             user = Session.query(User).filter_by(email=email).one_or_none()
             if user:
-                user.idp_id = idp_id
+                user.idp_subject = sub
+                user.idp_issuer = iss
             else:
                 user_parameters = {
                     "email": email,
-                    "idp_id": idp_id,
+                    "idp_subject": sub,
+                    "idp_issuer": iss,
                     "full_name": user_info.get("name", email),
                     "username": user_info.get("preferred_username", email),
                 }
@@ -90,12 +93,13 @@ def create_or_update_user(idp_id: str, user_info: Dict) -> User:
         raise ValueError(f"Error creating or updating user: {str(e)}")
 
 
-def create_or_update_user_from_idp(token: str, user_idp_id: str) -> User:
+def create_or_update_user_from_idp(token: str, sub: str, iss: str) -> User:
     """Create or update user record by fetching info from IdP.
 
     Args:
         token: Access token to fetch user info
-        user_idp_id: Subject identifier from IdP (e.g., sub claim)
+        sub: Subject identifier from IdP (e.g., sub claim)
+        iss: Issuer identifier from IdP (e.g., iss claim)
 
     Returns:
         User: Created or updated user record
@@ -105,6 +109,6 @@ def create_or_update_user_from_idp(token: str, user_idp_id: str) -> User:
     """
     try:
         user_info = fetch_user_info(token)
-        return create_or_update_user(user_idp_id, user_info)
+        return create_or_update_user(sub, iss, user_info)
     except Exception as e:
         raise ValueError(f"Failed to create/update user: {str(e)}")

reana_server/utils.py

@@ -81,8 +81,8 @@
     GitLabClient,
     GitLabClientException,
 )
-from reana_server.validation import validate_retention_rule, validate_workflow
 from reana_server.oauth import create_or_update_user_from_idp
+from reana_server.validation import validate_retention_rule, validate_workflow
 
 
 def is_uuid_v4(uuid_or_name):
@@ -437,8 +437,8 @@ def _get_user_from_invenio_user(id):
     return user
 
 
-def _get_user_by_idpid(idp_id):
-    user = Session.query(User).filter_by(idp_id=idp_id).one_or_none()
+def _get_user_by_sub_and_iss(sub, iss):
+    user = Session.query(User).filter_by(idp_subject=sub, idp_issuer=iss).one_or_none()
     if not user:
         raise ValueError("No users registered with this idp_id")
     return user
@@ -712,22 +712,22 @@ def _get_user_from_jwt(header: str) -> User:
 
         token = header.split(" ")[1]
 
-        # Validate JWT token
         jwks = fetch_and_parse_jwk()
         key_set = JsonWebKey.import_key_set(jwks)
+
         claims = jwt.decode(token, key_set)
         claims.validate()
 
-        idp_id = claims.get("sub")
-        if not idp_id:
-            raise ValueError("Token missing subject claim")
-
+        sub = claims.get("sub")
+        iss = claims.get("iss")
+        if not sub or not iss:
+            raise ValueError("Token missing subject claim or iss")
         try:
-            user = _get_user_by_idpid(idp_id)
+            user = _get_user_by_sub_and_iss(sub, iss)
             return user
         except ValueError:
             # User not found, create/update from IdP
-            return create_or_update_user_from_idp(token, idp_id)
+            return create_or_update_user_from_idp(token, sub, iss)
 
     except JoseError as e:
         raise ValueError(f"Invalid token: {str(e)}")