Skip to content

fix(jwt): resolveAuthContext must load app models before constant()#86

Merged
kennethphough merged 1 commit into
masterfrom
fix/jwt-login-app-models
May 22, 2026
Merged

fix(jwt): resolveAuthContext must load app models before constant()#86
kennethphough merged 1 commit into
masterfrom
fix/jwt-login-app-models

Conversation

@kennethphough

Copy link
Copy Markdown
Member

Summary

  • Apps with a custom `user_model` (e.g. `user_model='User'`) get HTTP 500 on `/jwt/login`
  • Root cause: `constant($app->user_model)` fatals because the app-scoped constant isn't defined yet at JWT endpoint dispatch time
  • HMAC `/Session` works because `Api::route()` calls `loadAppModels` before reaching the session controller. JWT bypasses that pipeline (login can't require auth) → gap.

Fix

`resolveAuthContext` calls `Api::loadAppModels($app)` immediately after retrieving the app row. Defensive fallback to KyteUser if the constant still isn't defined.

Test plan

  • All 12 existing JwtEndpointTest tests still pass
  • Manually reproduced the bug against dev kyte-api.stratis-troika.com (`JwtEndpoint: Undefined constant "User"` in php-fpm error log)
  • Patch verified locally; ready for composer rollout to dev → ETOM → ORB

Patch v4.4.3. No schema changes.

🤖 Generated with Claude Code

When an Application defines a custom user_model (e.g. user_model='User'),
JwtEndpoint::resolveAuthContext called constant($app->user_model) to
resolve the model definition. App-scoped constants are registered by
Api::loadAppModels() during the normal MVC pipeline — but JwtEndpoint
dispatches *before* that pipeline runs (login can't require auth).

Result: PHP 8 fatal "Undefined constant 'User'" → HTTP 500 from
/jwt/login on every app with a custom user_model.

HMAC /Session login didn't hit this because Api::route() walks through
loadAppModels() before reaching the session controller. The JWT
endpoint deliberately bypasses that path, creating the gap.

Fix: call Api::loadAppModels($app) right after retrieving the app row
and before referencing the constant. Defensive fallback: if the
constant still isn't defined after loading (e.g. user_model references
a name that no DataModel row defines), fall back to KyteUser with an
error_log breadcrumb. Login then fails at password_verify rather than
fataling — safer client-facing surface.

All 12 JwtEndpointTest tests still pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@kennethphough
kennethphough merged commit 349483e into master May 22, 2026
4 checks passed
@kennethphough
kennethphough deleted the fix/jwt-login-app-models branch May 22, 2026 17:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant