From 5bdf04cbb6f4602119a49dabdb9999b1b94ca40e Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Tue, 19 May 2026 16:34:51 +0200
Subject: [PATCH] api: tentatively make auth_nonce optional after token refresh

---
 api/src/dooris_api/deps.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/api/src/dooris_api/deps.py b/api/src/dooris_api/deps.py
index 949fd13..7c5e26b 100644
--- a/api/src/dooris_api/deps.py
+++ b/api/src/dooris_api/deps.py
@@ -4,6 +4,7 @@ from datetime import datetime, UTC, timedelta
 from fastapi import Request, Depends, Response
 from simple_openid_connect.data import TokenSuccessResponse
 from simple_openid_connect.client import OpenidClient
+from simple_openid_connect.exceptions import ValidationError
 
 from dooris_api import models, exceptions
 from dooris_api.ccujack import CCUJackClient
@@ -24,19 +25,19 @@ async def get_current_user(
 ) -> Optional[models.CurrentUser]:
     # easiest case: we still have an access token (which is the most fleeting component)
     # everything else should still be valid so we can just use it
-    if all(i in req.cookies for i in ("access_token", "id_token", "auth_nonce")):
+    if all(i in req.cookies for i in ("access_token", "id_token")):
         logger.debug(
             "user is fully authenticated, returning current user from existing id_token"
         )
         id_token = oidc_client.decode_id_token(
-            req.cookies["id_token"], nonce=req.cookies["auth_nonce"]
+            req.cookies["id_token"], nonce=req.cookies.get("auth_nonce", None),
         )
         return models.CurrentUser(
             id_token=id_token, raw_id_token=req.cookies["id_token"]
         )
 
     # if we have a refresh token, try to get new tokens
-    elif all(i in req.cookies for i in ("refresh_token", "auth_nonce")):
+    elif all(i in req.cookies for i in ("refresh_token",)):
         logger.debug(
             "user has been previously authenticated, trying to recover with refresh_token"
         )
@@ -44,7 +45,7 @@ async def get_current_user(
         token_resp = oidc_client.exchange_refresh_token(req.cookies["refresh_token"])
         if isinstance(token_resp, TokenSuccessResponse):
             logger.debug("successfully got new tokens from refresh token")
-            persist_auth_state(oidc_client, resp, token_resp, auth_start_time, req.cookies["auth_nonce"])
+            persist_auth_state(oidc_client, resp, token_resp, auth_start_time, None)
 
             # return the newly gotten info
             id_token = oidc_client.decode_id_token(token_resp.id_token)