Working log in/route guard

app/auth/views.py

@@ -6,33 +6,28 @@ from datetime import datetime
 from uuid import uuid4
 from app.classes.auth import Auth_User
 from app.classes.employee import Employee_Employee 
+import re
 
 @auth.route("/whoami", methods=["GET"])
 def check_session():
     """
     Checks auth token and returns user and associated employee data.
     """
-    api_key = request.headers.get('Authorization')
-    if not api_key:
+    auth_header = request.headers.get('Authorization')
+    if not auth_header:
         return jsonify({"ok": False, "error": "Authorization header missing"}), 401
 
-    # Clean up the token
-    api_key = api_key.replace('bearer ', '', 1).strip('"')
-    
+    # --- THIS IS THE FIX ---
+    # Use a case-insensitive regular expression to remove "bearer "
+    # This handles "Bearer ", "bearer ", "BEARER ", etc.
+    api_key = re.sub(r'^bearer\s+', '', auth_header, flags=re.IGNORECASE).strip('"')
+
     user = db.session.query(Auth_User).filter(Auth_User.api_key == api_key).first()
-    
+
     if not user:
+        print("no user found with that api key")
         return jsonify({"ok": False, "error": "Invalid token"}), 401
 
-    # --- THIS IS THE CRITICAL FIX ---
-    # Now that we have the user, find the corresponding employee record.
-    # This assumes your Employee model has a 'user_id' field linking to the Auth_User 'id'.
-    employee = db.session.query(Employee_Employee).filter(Employee_Employee.user_id == user.id).first()
-
-    # It's possible a user exists without an employee record, so we handle that case.
-    if not employee:
-        return jsonify({"ok": False, "error": "User found, but no associated employee record"}), 404
-    
     # Now, build the complete response with both user and employee data.
     return jsonify({
         "ok": True,
@@ -44,13 +39,6 @@ def check_session():
             'token': user.api_key,
             'confirmed': user.confirmed
         },
-        # ADD THE EMPLOYEE OBJECT TO THE RESPONSE
-        'employee': {
-            'id': employee.id,
-            'employee_first_name': employee.employee_first_name,
-            'employee_last_name': employee.employee_last_name,
-            # Add any other employee fields you might need on the frontend
-        }
     }), 200
 
 
@@ -86,38 +74,27 @@ def logout():
 
 @auth.route("/login", methods=["POST"])
 def login():
-    """
-    Main post function to  a user
-    """
-   
     username = request.json["username"]
     password = request.json["password"]
 
-    user = db.session\
-                .query(Auth_User)\
-                .filter_by(username=username)\
-                .first() is not None
+    user = db.session.query(Auth_User).filter_by(username=username).first()
+
+    # Important checks!
     if not user:
-        return jsonify({"error": True}), 200
-    user = db.session\
-        .query(Auth_User)\
-        .filter_by(username=username)\
-        .first()
+        return jsonify({"error": "User not found"}), 401 # Use a more descriptive error and status code
+
     if not bcrypt.check_password_hash(user.password_hash, password):
-        return jsonify({"error": True}), 200
-
-    db.session.add(user)
-    db.session.commit()
-
+        return jsonify({"error": "Invalid password"}), 401 # Use a more descriptive error and status code
 
+    # If login is successful, return the correct structure
     return jsonify({
         "ok": True,
-        'user': {'user_id': user.uuid,
-                    'user_id': user.id,
-                    'user_email': user.email,
-                    'admin_role': user.admin_role,
-                    'token': user.api_key
-                    },
+        'user': {
+            'user_name': user.username,
+            'user_id': user.id,
+            'user_email': user.email,
+            'admin_role': user.admin_role,
+        },
         'token': user.api_key
     }), 200