From 62b21c97c46f6157d0241282f01f569e200b455c Mon Sep 17 00:00:00 2001
From: Daniel McKnight <daniel@neon.ai>
Date: Thu, 26 Dec 2024 17:33:25 -0800
Subject: [PATCH] Add default permissions for `users` to address serialization
 bug Explicitly handle old refresh tokens which fail Pydantic validation

---
 neon_hana/auth/client_manager.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/neon_hana/auth/client_manager.py b/neon_hana/auth/client_manager.py
index daa89d5..e3bdb64 100644
--- a/neon_hana/auth/client_manager.py
+++ b/neon_hana/auth/client_manager.py
@@ -52,7 +52,8 @@
                                               diana=AccessRoles.USER,
                                               node=AccessRoles.USER,
                                               hub=AccessRoles.USER,
-                                              llm=AccessRoles.USER)
+                                              llm=AccessRoles.USER,
+                                              users=AccessRoles.NONE)
 
 
 class ClientManager:
@@ -274,6 +275,10 @@ def check_refresh_request(self, access_token: Optional[str],
         except ExpiredSignatureError:
             raise HTTPException(status_code=401,
                                 detail="Refresh token is expired")
+        except ValidationError:
+            raise HTTPException(status_code=400,
+                                detail=f"Invalid token data received from "
+                                       f"client: {client_id}.")
         if refresh_data.jti != token_data.jti + ".refresh":
             raise HTTPException(status_code=403,
                                 detail="Refresh and access token mismatch")