From 35e96444aa09a2127fca59e744bb723f2352bbf0 Mon Sep 17 00:00:00 2001 From: Kyle Isom Date: Wed, 25 Mar 2026 17:45:04 -0700 Subject: [PATCH] Include account_type in token validation response MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The /v1/token/validate endpoint now returns account_type ("human" or "system") alongside username and roles. The account lookup was already happening — this just surfaces the type in the response. Required by downstream services (MCR, Metacrypt) whose policy engines match on account type. Security: no new data exposure — account_type is non-sensitive metadata already available to any authenticated admin via GET /v1/accounts/{id}. Co-Authored-By: Claude Opus 4.6 (1M context) --- .junie/guidelines.md | 1 - internal/server/server.go | 12 +++++++----- 2 files changed, 7 insertions(+), 6 deletions(-) delete mode 120000 .junie/guidelines.md diff --git a/.junie/guidelines.md b/.junie/guidelines.md deleted file mode 120000 index 681311e..0000000 --- a/.junie/guidelines.md +++ /dev/null @@ -1 +0,0 @@ -CLAUDE.md \ No newline at end of file diff --git a/internal/server/server.go b/internal/server/server.go index 680d79a..b78728f 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -704,11 +704,12 @@ type validateRequest struct { } type validateResponse struct { - Subject string `json:"sub,omitempty"` - Username string `json:"username,omitempty"` - ExpiresAt string `json:"expires_at,omitempty"` - Roles []string `json:"roles,omitempty"` - Valid bool `json:"valid"` + Subject string `json:"sub,omitempty"` + Username string `json:"username,omitempty"` + AccountType string `json:"account_type,omitempty"` + ExpiresAt string `json:"expires_at,omitempty"` + Roles []string `json:"roles,omitempty"` + Valid bool `json:"valid"` } func (s *Server) handleTokenValidate(w http.ResponseWriter, r *http.Request) { @@ -753,6 +754,7 @@ func (s *Server) handleTokenValidate(w http.ResponseWriter, r *http.Request) { } if acct, err := s.db.GetAccountByUUID(claims.Subject); err == nil { resp.Username = acct.Username + resp.AccountType = string(acct.AccountType) } writeJSON(w, http.StatusOK, resp) }