fix: update get_jwt_user to avoid non-string token_type

similar to other functions.

Signed-off-by: Grant Ramsay <seapagan@gmail.com>

Author: seapagan

.pre-commit-config.yaml

@@ -11,7 +11,7 @@ repos:
       - id: check-added-large-files
 
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.14.10
+    rev: v0.14.11
     hooks:
       - id: ruff
         args: ["--output-format=concise"]
@@ -31,7 +31,7 @@ repos:
 
   - repo: https://github.com/astral-sh/uv-pre-commit
     # uv version.
-    rev: 0.9.18
+    rev: 0.9.22
     hooks:
       # Update the uv lockfile
       - id: uv-lock

app/managers/auth.py

@@ -526,7 +526,7 @@ async def resend_verify_code(
 bearer = HTTPBearer(auto_error=False)
 
 
-async def get_jwt_user(
+async def get_jwt_user(  # noqa: C901
     request: Request,
     db: AsyncSession = Depends(get_database),
     credentials: HTTPAuthorizationCredentials | None = Depends(bearer),
@@ -561,7 +561,7 @@ async def get_jwt_user(
         )
         # Use constant-time comparison to prevent timing attacks
         token_type = payload.get("typ")
-        if token_type is None or not secrets.compare_digest(
+        if not isinstance(token_type, str) or not secrets.compare_digest(
             token_type, "access"
         ):
             increment_auth_failure("invalid_token", "jwt")
@@ -575,10 +575,13 @@ async def get_jwt_user(
             )
 
         user_id = payload.get("sub")
-        if user_id is None:
+        # Accept int-like strings but reject weird types early
+        if isinstance(user_id, str) and user_id.isdigit():
+            user_id = int(user_id)
+        if not isinstance(user_id, int):
             increment_auth_failure("invalid_token", "jwt")
             category_logger.warning(
-                "Authentication attempted with token missing 'sub' claim",
+                "Authentication attempted with invalid 'sub' claim",
                 LogCategory.AUTH,
             )
             raise HTTPException(