From 3ee259a3f07cb58024dbbbb5477193d4f86e9d37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Beno=C3=AEt=20Blanc?= <benoit.blanc@oslandia.com>
Date: Tue, 7 Oct 2025 16:02:04 +0200
Subject: [PATCH 1/2] Use auth module from qwc_services_core

---
 src/server.py | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/server.py b/src/server.py
index fc8ad5a..6fc3fcb 100644
--- a/src/server.py
+++ b/src/server.py
@@ -16,8 +16,7 @@
 from flask_ldap3_login import LDAP3LoginManager, AuthenticationResponseStatus
 from flask_ldap3_login.forms import LDAPLoginForm
 import i18n
-from qwc_services_core.jwt import jwt_manager
-from qwc_services_core.auth import GroupNameMapper
+from qwc_services_core.auth import auth_manager, GroupNameMapper, optional_auth
 from qwc_services_core.runtime_config import RuntimeConfig
 from qwc_services_core.tenant_handler import (
     TenantHandler, TenantPrefixMiddleware, TenantSessionInterface)
@@ -32,7 +31,7 @@
 app.config['JWT_ACCESS_TOKEN_EXPIRES'] = int(os.environ.get(
     'JWT_ACCESS_TOKEN_EXPIRES', 12*3600))
 
-jwt = jwt_manager(app)
+jwt = auth_manager(app)
 app.secret_key = app.config['JWT_SECRET_KEY']
 
 i18n.set('load_path', [os.path.join(
@@ -282,7 +281,7 @@ def verify_login():
 
 
 @app.route('/logout', methods=['GET', 'POST'])
-@jwt_required(optional=True)
+@optional_auth
 def logout():
     target_url = url_path(request.args.get('url', '/'))
     resp = make_response(redirect(target_url))

From d885a194f75b480489d179cf32fd214ead5e0658 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Beno=C3=AEt=20Blanc?= <benoit.blanc@oslandia.com>
Date: Tue, 7 Oct 2025 16:03:05 +0200
Subject: [PATCH 2/2] Re-issue JWT token when it is expired and Flask session
 is still valid

---
 src/server.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/server.py b/src/server.py
index 6fc3fcb..da70c57 100644
--- a/src/server.py
+++ b/src/server.py
@@ -213,7 +213,14 @@ def login():
 
     target_url = url_path(request.args.get('url', '/'))
     if current_user.is_authenticated:
-        return redirect(target_url)
+        if current_user.groups:
+            identity = {'username': current_user.username, 'groups': current_user.groups}
+        else:
+            identity = {'username': current_user.username}
+        access_token = create_access_token(identity)
+        resp = make_response(redirect(target_url))
+        set_access_cookies(resp, access_token)
+        return resp
     form = LDAPLoginForm(meta=wft_locales())
     form.logo = config.get("logo_image_url", {})
     form.background = config.get("background_image_url", {})