From 28634ece1df61826d9f044822051ccb85f63400a Mon Sep 17 00:00:00 2001
From: Johannes Reppin <johannes.reppin@desy.de>
Date: Wed, 27 May 2026 12:40:33 +0200
Subject: [PATCH] add accessToken to jobClass so it can be reused in actions
 via job.accessToken in handlebars

---
 src/jobs/dto/output-job-v4.dto.ts |  2 +-
 src/jobs/jobs.controller.utils.ts | 18 ++++++++++++++++++
 src/jobs/schemas/job.schema.ts    | 15 +++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/src/jobs/dto/output-job-v4.dto.ts b/src/jobs/dto/output-job-v4.dto.ts
index f29c2814c..31bcb8971 100644
--- a/src/jobs/dto/output-job-v4.dto.ts
+++ b/src/jobs/dto/output-job-v4.dto.ts
@@ -1,11 +1,11 @@
 import { PartialType } from "@nestjs/swagger";
 import { CreateJobDto } from "./create-job.dto";
 import {
+  IsArray,
   IsDateString,
   IsObject,
   IsOptional,
   IsString,
-  IsArray,
 } from "class-validator";
 import { PartialOutputDatasetDto } from "src/datasets/dto/output-dataset.dto";
 
diff --git a/src/jobs/jobs.controller.utils.ts b/src/jobs/jobs.controller.utils.ts
index 2e97ac106..42fbb98cd 100644
--- a/src/jobs/jobs.controller.utils.ts
+++ b/src/jobs/jobs.controller.utils.ts
@@ -516,6 +516,19 @@ export class JobsControllerUtils {
     }
   }
 
+  /**
+   * Extract the Bearer token from the Authorization header of the request.
+   */
+  private extractBearerToken(request: Request): string | undefined {
+    const authHeader = request.headers?.authorization;
+    if (!authHeader) return undefined;
+    const parts = authHeader.split(" ");
+    if (parts.length === 2 && parts[0].toLowerCase() === "bearer") {
+      return parts[1];
+    }
+    return undefined;
+  }
+
   /**
    * Create job implementation
    */
@@ -530,6 +543,11 @@ export class JobsControllerUtils {
       createJobDto,
       request.user as JWTUser,
     );
+    // Extract JWT from Authorization header
+    const accessToken = this.extractBearerToken(request);
+    if (accessToken) {
+      jobInstance.accessToken = accessToken;
+    }
     // Allow actions to validate DTO
     const jobConfig = this.getJobTypeConfiguration(createJobDto.type);
     const validateContext = { request: createJobDto, env: process.env };
diff --git a/src/jobs/schemas/job.schema.ts b/src/jobs/schemas/job.schema.ts
index d0be4bfe4..e3b379ebd 100644
--- a/src/jobs/schemas/job.schema.ts
+++ b/src/jobs/schemas/job.schema.ts
@@ -12,6 +12,10 @@ export type JobDocument = JobClass & Document;
   timestamps: true,
   toJSON: {
     getters: true,
+    transform: (_doc: Document, ret: Record<string, unknown>) => {
+      delete ret.accessToken;
+      return ret;
+    },
   },
 })
 export class JobClass extends OwnableClass {
@@ -106,6 +110,17 @@ export class JobClass extends OwnableClass {
     default: {},
   })
   jobResultObject: Record<string, unknown>;
+
+  /**
+   * JWT access token provided by the user at job creation time.
+   * Stored for reuse by actions performed within the job.
+   * Not exposed in API responses for security reasons.
+   */
+  @Prop({
+    type: String,
+    required: false,
+  })
+  accessToken?: string;
 }
 export const JobSchema = SchemaFactory.createForClass(JobClass);