Cleaned up login/logout flows.

2025-09-02 19:08:16 -06:00
parent 10e55f63b5
commit b324276173
8 changed files with 46 additions and 18 deletions
--- a/passkey/fastapi/authz.py
+++ b/passkey/fastapi/authz.py
@@ -1,7 +1,11 @@
+import logging
+
 from fastapi import HTTPException

 from ..util import permutil

+logger = logging.getLogger(__name__)
+

 async def verify(auth: str | None, perm: list[str], match=permutil.has_all):
    """Validate session token and optional list of required permissions.
@@ -20,6 +24,16 @@ async def verify(auth: str | None, perm: list[str], match=permutil.has_all):
        raise HTTPException(status_code=401, detail="Session not found")

    if not match(ctx, perm):
+        # Determine which permissions are missing for clearer diagnostics
+        missing = sorted(set(perm) - set(ctx.role.permissions))
+        logger.warning(
+            "Permission denied: user=%s role=%s missing=%s required=%s granted=%s",  # noqa: E501
+            getattr(ctx.user, "uuid", "?"),
+            getattr(ctx.role, "display_name", "?"),
+            missing,
+            perm,
+            ctx.role.permissions,
+        )
        raise HTTPException(status_code=403, detail="Permission required")

    return ctx