IMIO · chris-adam · Feb 17, 2026 · Jan 14, 2026 · Jan 15, 2026 · Feb 17, 2026
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -7,6 +7,8 @@ Changelog
 
 - Replaced external_session_link p by span.
   [sgeulette]
+- Switched basic auth to jwt.
+  [chris-adam]
 
 1.0a2 (2026-02-06)
 ------------------

diff --git a/setup.py b/setup.py
@@ -55,7 +55,7 @@
         "collective.compoundcriterion",
         "collective.eeafaceted.z3ctable",
         "eea.facetednavigation",
-        "imio.helpers",
+        "imio.helpers>1.3.10",
         "imio.prettylink",
         "imio.pyutils",
         # 'z3c.jbot',

diff --git a/src/imio/esign/__init__.py b/src/imio/esign/__init__.py
@@ -13,7 +13,6 @@
 logger = logging.getLogger("imio.esign")
 PLONE_VERSION = int(api.env.plone_version()[0])
 ESIGN_ROOT_URL = os.getenv("ESIGN_ROOT_URL", "http://127.0.0.1:8000")
-ESIGN_CREDENTIALS = os.getenv("ESIGN_CREDENTIALS", "")
 manage_session_perm = "imio.esign: Manage Sessions"
 
 

diff --git a/src/imio/esign/browser/views.py b/src/imio/esign/browser/views.py
@@ -4,7 +4,6 @@
 from datetime import datetime
 from datetime import timedelta
 from imio.esign import _
-from imio.esign import ESIGN_CREDENTIALS
 from imio.esign import ESIGN_ROOT_URL
 from imio.esign import manage_session_perm
 from imio.esign.browser.table import external_session_link
@@ -146,7 +145,6 @@ def __call__(self, session_id=None):
             return self.context.absolute_url() + "/@@parapheo"
         resp = create_external_session(
             int(session_id),
-            b64_cred=ESIGN_CREDENTIALS,
             esign_root_url=ESIGN_ROOT_URL,
         )
         if resp == "_session_not_found_":

diff --git a/src/imio/esign/services/external_session_feedback.py b/src/imio/esign/services/external_session_feedback.py
@@ -2,6 +2,7 @@
 from datetime import datetime
 from imio.esign import logger
 from imio.esign.utils import get_session_annotation
+from imio.helpers.ws import verify_auth_token
 from plone.restapi.deserializer import json_body
 from plone.restapi.services import Service
 
@@ -95,4 +96,19 @@ def reply(self):  # noqa C901
 
     def authorized(self):
         """Check if the user is authorized to access this service."""
-        return True
+        auth_header = self.request.getHeader("Authorization")
+        if not auth_header or not auth_header.startswith("Bearer "):
+            return False
+        token = auth_header[7:]  # len("Bearer ") == 7
+        if not token:
+            return False
+        return verify_auth_token(token, groups=["access_imio-apps-docs"])
+
+
+"""
+State:
+to_create_session
+to_sign
+to_upload
+refused
+"""
diff --git a/src/imio/esign/utils.py b/src/imio/esign/utils.py
@@ -2,7 +2,6 @@
 from datetime import datetime
 from datetime import timedelta
 from imio.esign import _tr as _
-from imio.esign import ESIGN_CREDENTIALS
 from imio.esign import ESIGN_ROOT_URL
 from imio.esign import logger
 from imio.esign.config import get_registry_file_url
@@ -14,7 +13,7 @@
 from imio.helpers.content import uuidsToObjects
 from imio.helpers.content import uuidToObject
 from imio.helpers.transmogrifier import get_correct_id
-from imio.pyutils.system import post_request
+from imio.helpers.ws import get_auth_token
 from imio.pyutils.utils import shortuid_encode_id
 from os import path
 from persistent.list import PersistentList
@@ -24,6 +23,7 @@
 from zope.component import getAdapter
 
 import json
+import requests
 
 
 SESSION_URL = "imio/esign/v1/luxtrust/sessions"
@@ -94,11 +94,10 @@ def add_files_to_session(
     return session_id, session
 
 
-def create_external_session(session_id, b64_cred=None, esign_root_url=None):
+def create_external_session(session_id, esign_root_url=None):
     """Create a session with the given signers and files.
 
     :param session_id: internal session id
-    :param b64_cred: base64 encoded credentials for authentication
     :param esign_root_url: the root URL for the e-sign service, if not provided it will use the default ESIGN_ROOT_URL
     :return: session information
     """
@@ -153,17 +152,22 @@ def create_external_session(session_id, b64_cred=None, esign_root_url=None):
             "sealCode": seal_code,
         }
 
+    # files_payload = {filename: file_content for z, filename, file_content, uid in files}
     files_payload = [("files", (filename, file_content)) for z, filename, file_content, uid in files]
 
     # Headers avec autorisation
-    headers = {"accept": "application/json"}
-    b64_cred = b64_cred or ESIGN_CREDENTIALS
-    if b64_cred:
-        headers["Authorization"] = "Basic {}".format(b64_cred)
+    headers = {
+        "accept": "application/json",
+        "Authorization": "Bearer %s" % get_auth_token(),
+    }
 
     logger.info(data_payload)
-    ret = post_request(
-        session_url, data={"data": json.dumps(data_payload, default=vars)}, headers=headers, files=files_payload
+    ret = requests.post(
+        session_url,
+        headers=headers,
+        data={"data": json.dumps(data_payload, default=vars)},
+        files=files_payload,
+        timeout=10,
     )
     if ret.status_code == 200:
         session["state"] = "sent"