iatoolkit 0.56.0__tar.gz → 0.58.0__tar.gz

{iatoolkit-0.56.0 → iatoolkit-0.58.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: iatoolkit
-Version: 0.56.0
+Version: 0.58.0
 Summary: IAToolkit
 Author: Fernando Libedinsky
 License-Expression: MIT

{iatoolkit-0.56.0 → iatoolkit-0.58.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "iatoolkit"
-version = "0.56.0"
+version = "0.58.0"
 requires-python = ">=3.12"
 description = "IAToolkit"
 readme = "readme.md"

{iatoolkit-0.56.0 → iatoolkit-0.58.0}/src/iatoolkit/common/routes.py

@@ -21,7 +21,6 @@ def register_views(injector, app):
 
     from iatoolkit.views.index_view import IndexView
     from iatoolkit.views.init_context_api_view import InitContextApiView
-    from iatoolkit.views.llmquery_web_view import LLMQueryWebView
     from iatoolkit.views.llmquery_api_view import LLMQueryApiView
     from iatoolkit.views.tasks_view import TaskView
     from iatoolkit.views.tasks_review_view import TaskReviewView
@@ -67,8 +66,8 @@ def register_views(injector, app):
                      view_func=ChatTokenRequestView.as_view('chat-token'))
 
     # init (reset) the company context (with api-key)
-    app.add_url_rule('/<company_short_name>/api/init_context_api',
-                     view_func=InitContextApiView.as_view('init_context_api'))
+    app.add_url_rule('/<company_short_name>/api/init-context',
+                     view_func=InitContextApiView.as_view('init-context'))
 
     # register new user, account verification and forgot password
     app.add_url_rule('/<company_short_name>/signup',view_func=SignupView.as_view('signup'))
@@ -80,13 +79,8 @@ def register_views(injector, app):
 
     # main chat query, used by the JS in the browser (with credentials)
     # can be used also for executing iatoolkit prompts
-    app.add_url_rule('/<company_short_name>/llm_query', view_func=LLMQueryWebView.as_view('llm_query_web'))
-
-    # this is the same function as above, but with api-key
     app.add_url_rule('/<company_short_name>/api/llm_query', view_func=LLMQueryApiView.as_view('llm_query_api'))
 
-    # chat buttons are here on
-
     # open the promt directory
     app.add_url_rule('/<company_short_name>/api/prompts', view_func=PromptApiView.as_view('prompt'))
 

{iatoolkit-0.56.0 → iatoolkit-0.58.0}/src/iatoolkit/iatoolkit.py

@@ -19,7 +19,7 @@ from werkzeug.middleware.proxy_fix import ProxyFix
 from injector import Binder, singleton, Injector
 from importlib.metadata import version as _pkg_version, PackageNotFoundError
 
-IATOOLKIT_VERSION = "0.56.0"
+IATOOLKIT_VERSION = "0.57.0"
 
 # global variable for the unique instance of IAToolkit
 _iatoolkit_instance: Optional['IAToolkit'] = None

{iatoolkit-0.56.0 → iatoolkit-0.58.0}/src/iatoolkit/repositories/models.py

@@ -3,9 +3,10 @@
 #
 # IAToolkit is open source software.
 
-from sqlalchemy import Column, Integer, String, DateTime, Enum, Text, JSON, Boolean, ForeignKey, Table
+from sqlalchemy import Column, Integer, BigInteger, String, DateTime, Enum, Text, JSON, Boolean, ForeignKey, Table
 from sqlalchemy.orm import DeclarativeBase
 from sqlalchemy.orm import relationship, class_mapper, declarative_base
+from sqlalchemy.sql import func
 from datetime import datetime
 from pgvector.sqlalchemy import Vector
 from enum import Enum as PyEnum
@@ -307,3 +308,27 @@ class Prompt(Base):
 
     company = relationship("Company", back_populates="prompts")
     category = relationship("PromptCategory", back_populates="prompts")
+
+class AccessLog(Base):
+    # Modelo ORM para registrar cada intento de acceso a la plataforma.
+    __tablename__ = 'iat_access_log'
+
+    id = Column(BigInteger, primary_key=True)
+
+    timestamp = Column(DateTime(timezone=True), server_default=func.now(), nullable=False, index=True)
+    company_short_name = Column(String(100), nullable=False, index=True)
+    user_identifier = Column(String(255), index=True)
+
+    # Cómo y el Resultado
+    auth_type = Column(String(20), nullable=False) # 'local', 'external_api', 'redeem_token', etc.
+    outcome = Column(String(10), nullable=False)   # 'success' o 'failure'
+    reason_code = Column(String(50))               # Causa de fallo, ej: 'INVALID_CREDENTIALS'
+
+    # Contexto de la Petición
+    source_ip = Column(String(45), nullable=False)
+    user_agent_hash = Column(String(16))           # Hash corto del User-Agent
+    request_path = Column(String(255), nullable=False)
+
+    def __repr__(self):
+        return (f"<AccessLog(id={self.id}, company='{self.company_short_name}', "
+                f"user='{self.user_identifier}', outcome='{self.outcome}')>")

iatoolkit-0.58.0/src/iatoolkit/services/auth_service.py

@@ -0,0 +1,181 @@
+# Copyright (c) 2024 Fernando Libedinsky
+# Product: IAToolkit
+#
+# IAToolkit is open source software.
+
+from flask import request
+from injector import inject
+from iatoolkit.services.profile_service import ProfileService
+from iatoolkit.services.jwt_service import JWTService
+from iatoolkit.repositories.database_manager import DatabaseManager
+from iatoolkit.repositories.models import AccessLog
+from flask import request
+import logging
+import hashlib
+
+
+class AuthService:
+    """
+    Centralized service for handling authentication for all incoming requests.
+    It determines the user's identity based on either a Flask session cookie or an API Key.
+    """
+
+    @inject
+    def __init__(self, profile_service: ProfileService,
+                 jwt_service: JWTService,
+                 db_manager: DatabaseManager
+                 ):
+        self.profile_service = profile_service
+        self.jwt_service = jwt_service
+        self.db_manager = db_manager
+
+    def login_local_user(self, company_short_name: str, email: str, password: str) -> dict:
+        # try to autenticate a local user, register the event and return the result
+        auth_response = self.profile_service.login(
+            company_short_name=company_short_name,
+            email=email,
+            password=password
+        )
+
+        if not auth_response.get('success'):
+            self.log_access(
+                company_short_name=company_short_name,
+                user_identifier=email,
+                auth_type='local',
+                outcome='failure',
+                reason_code='INVALID_CREDENTIALS',
+            )
+        else:
+            self.log_access(
+                company_short_name=company_short_name,
+                auth_type='local',
+                outcome='success',
+                user_identifier=auth_response.get('user_identifier')
+            )
+
+        return auth_response
+
+    def redeem_token_for_session(self, company_short_name: str, token: str) -> dict:
+        # redeem a token for a session, register the event and return the result
+        payload = self.jwt_service.validate_chat_jwt(token)
+
+        if not payload:
+            self.log_access(
+                company_short_name=company_short_name,
+                auth_type='redeem_token',
+                outcome='failure',
+                reason_code='JWT_INVALID'
+            )
+            return {'success': False, 'error': 'Token inválido o expirado'}
+
+        # 2. if token is valid, extract the user_identifier
+        user_identifier = payload.get('user_identifier')
+        try:
+            # create the Flask session
+            self.profile_service.set_session_for_user(company_short_name, user_identifier)
+            self.log_access(
+                company_short_name=company_short_name,
+                auth_type='redeem_token',
+                outcome='success',
+                user_identifier=user_identifier
+            )
+            return {'success': True, 'user_identifier': user_identifier}
+        except Exception as e:
+            logging.error(f"Error al crear la sesión desde token para {user_identifier}: {e}")
+            self.log_access(
+                company_short_name=company_short_name,
+                auth_type='redeem_token',
+                outcome='failure',
+                reason_code='SESSION_CREATION_FAILED',
+                user_identifier=user_identifier
+            )
+            return {'success': False, 'error': 'No se pudo crear la sesión del usuario'}
+
+    def verify(self) -> dict:
+        """
+        Verifies the current request and identifies the user.
+
+        Returns a dictionary with:
+        - success: bool
+        - user_identifier: str (if successful)
+        - company_short_name: str (if successful)
+        - error_message: str (on failure)
+        - status_code: int (on failure)
+        """
+        # --- Priority 1: Check for a valid Flask web session ---
+        session_info = self.profile_service.get_current_session_info()
+        if session_info and session_info.get('user_identifier'):
+            # User is authenticated via a web session cookie.
+            return {
+                "success": True,
+                "company_short_name": session_info['company_short_name'],
+                "user_identifier": session_info['user_identifier']
+            }
+
+        # --- Priority 2: Check for a valid API Key in headers ---
+        api_key = None
+        auth = request.headers.get('Authorization', '')
+        if isinstance(auth, str) and auth.lower().startswith('bearer '):
+            api_key =  auth.split(' ', 1)[1].strip()
+
+        if api_key:
+            api_key_entry = self.profile_service.get_active_api_key_entry(api_key)
+            if not api_key_entry:
+                logging.info(f"Invalid or inactive API Key {api_key}")
+                return {"success": False, "error": "Invalid or inactive API Key", "status_code": 401}
+
+            # obtain the company from the api_key_entry
+            company = api_key_entry.company
+
+            # For API calls, the external_user_id must be provided in the request.
+            user_identifier = ''
+            if request.is_json:
+                data = request.get_json() or {}
+                user_identifier = data.get('user_identifier', '')
+
+            return {
+                "success": True,
+                "company_short_name": company.short_name,
+                "user_identifier": user_identifier
+            }
+
+        # --- Failure: No valid credentials found ---
+        logging.info(f"Authentication required. No session cookie or API Key provided.")
+        return {"success": False, "error": "Authentication required. No session cookie or API Key provided.",
+                "status_code": 402}
+
+    def log_access(self,
+                   company_short_name: str,
+                   auth_type: str,
+                   outcome: str,
+                   user_identifier: str = None,
+                   reason_code: str = None):
+        """
+        Registra un intento de acceso en la base de datos.
+        Es "best-effort" y no debe interrumpir el flujo de autenticación.
+        """
+        session = self.db_manager.scoped_session()
+        try:
+            # Capturar datos del contexto de la petición de Flask
+            source_ip = request.headers.get('X-Forwarded-For', request.remote_addr)
+            path = request.path
+            ua = request.headers.get('User-Agent', '')
+            ua_hash = hashlib.sha256(ua.encode()).hexdigest()[:16] if ua else None
+
+            # Crear la entrada de log
+            log_entry = AccessLog(
+                company_short_name=company_short_name,
+                user_identifier=user_identifier,
+                auth_type=auth_type,
+                outcome=outcome,
+                reason_code=reason_code,
+                source_ip=source_ip,
+                user_agent_hash=ua_hash,
+                request_path=path,
+            )
+            session.add(log_entry)
+            session.commit()
+
+        except Exception as e:
+            logging.error(f"Fallo al escribir en AccessLog: {e}", exc_info=False)
+            session.rollback()

{iatoolkit-0.56.0 → iatoolkit-0.58.0}/src/iatoolkit/services/profile_service.py

@@ -66,16 +66,18 @@ class ProfileService:
                 "extras": {}
             }
 
-            # 2. Call the session creation helper with the pre-built profile.
-            # user_identifier = str(user.id)
-            self.create_web_session(company, user_identifier, user_profile)
+            # 2. create user_profile in context
+            self.save_user_profile(company, user_identifier, user_profile)
+
+            # 3. create the web session
+            self.set_session_for_user(company.short_name, user_identifier)
             return {'success': True, "user_identifier": user_identifier, "message": "Login exitoso"}
         except Exception as e:
             return {'success': False, "message": str(e)}
 
-    def create_external_user_session(self, company: Company, user_identifier: str):
+    def create_external_user_profile_context(self, company: Company, user_identifier: str):
         """
-        Public method for views to create a web session for an external user.
+        Public method for views to create a user profile context for an external user.
         """
         # 1. Fetch the external user profile via Dispatcher.
         external_user_profile = self.dispatcher.get_user_info(
@@ -84,12 +86,12 @@ class ProfileService:
         )
 
         # 2. Call the session creation helper with external_user_id as user_identifier
-        self.create_web_session(
+        self.save_user_profile(
             company=company,
             user_identifier=user_identifier,
             user_profile=external_user_profile)
 
-    def create_web_session(self, company: Company, user_identifier: str, user_profile: dict):
+    def save_user_profile(self, company: Company, user_identifier: str, user_profile: dict):
         """
         Private helper: Takes a pre-built profile, saves it to Redis, and sets the Flask cookie.
         """
@@ -102,10 +104,8 @@ class ProfileService:
         # save user_profile in Redis session
         self.session_context.save_profile_data(company.short_name, user_identifier, user_profile)
 
-        # save a min Flask session cookie for this user
-        self.set_session_for_user(company.short_name, user_identifier)
-
     def set_session_for_user(self, company_short_name: str, user_identifier:str ):
+        # save a min Flask session cookie for this user
         SessionManager.set('company_short_name', company_short_name)
         SessionManager.set('user_identifier', user_identifier)
 

{iatoolkit-0.56.0 → iatoolkit-0.58.0}/src/iatoolkit/services/query_service.py

@@ -66,9 +66,6 @@ class QueryService:
 
         # Get the user profile from the single source of truth.
         user_profile = self.profile_service.get_profile_by_identifier(company_short_name, user_identifier)
-        if not user_profile:
-            # This might happen if a session exists for a user that was deleted.
-            return None, None
 
         # render the iatoolkit main system prompt with the company/user information
         system_prompt_template = self.prompt_service.get_system_prompt()

{iatoolkit-0.56.0 → iatoolkit-0.58.0}/src/iatoolkit/services/user_session_context_service.py

@@ -23,7 +23,7 @@ class UserSessionContextService:
         return f"session:{company_short_name}/{user_identifier}"
 
     def clear_all_context(self, company_short_name: str, user_identifier: str):
-        """Limpia el contexto de sesión para un usuario de forma atómica."""
+        """Limpia el contexto del LLM en la sesión para un usuario de forma atómica."""
         session_key = self._get_session_key(company_short_name, user_identifier)
         if session_key:
             # RedisSessionManager.remove(session_key)

{iatoolkit-0.56.0 → iatoolkit-0.58.0}/src/iatoolkit/static/js/chat_main.js

@@ -6,7 +6,7 @@ let selectedPrompt = null; // Will hold a lightweight prompt object
 
 $(document).ready(function () {
     // Gatilla el redeem sin esperar ni manejar respuesta aquí
-        if (window.redeemToken !== '') {
+        if (window.redeemToken) {
             const url = `/api/redeem_token`;
             // No await: dejamos que callToolkit maneje todo internamente
             callToolkit(url, {'token': window.redeemToken}, "POST").catch(() => {});
@@ -183,7 +183,7 @@ const handleChatMessage = async function () {
             user_identifier: window.user_identifier
         };
 
-        const responseData = await callToolkit("/llm_query", data, "POST");
+        const responseData = await callToolkit("/api/llm_query", data, "POST");
         if (responseData && responseData.answer) {
             const answerSection = $('<div>').addClass('answer-section llm-output').append(responseData.answer);
             displayBotMessage(answerSection);

{iatoolkit-0.56.0 → iatoolkit-0.58.0}/src/iatoolkit/templates/_login_widget.html

@@ -14,7 +14,8 @@
           method="post">
       <div class="mb-3">
         <label for="email" class="form-label d-block">Correo Electrónico</label>
-        <input type="email" id="email" name="email" class="form-control" required>
+        <input type="email" id="email" name="email" class="form-control"
+               required value="{{ form_data.email or '' }}">
       </div>
       <div class="mb-3">
         <label for="password" class="form-label d-block">Contraseña</label>

{iatoolkit-0.56.0 → iatoolkit-0.58.0}/src/iatoolkit/templates/chat.html

@@ -183,11 +183,12 @@
     // --- Global Configuration from Backend ---
     window.companyShortName = "{{ company_short_name }}";
     window.user_identifier = "{{ user_identifier }}";
-    window.redeemToken = "{{ redeem_token }}";
+    window.redeemToken = {{ redeem_token | tojson | default('null') }};
     window.iatoolkit_base_url = "{{ iatoolkit_base_url }}";
     window.availablePrompts = {{ prompts.message | tojson }};
     window.onboardingCards = {{ onboarding_cards | tojson }};
     window.sendButtonColor = "{{ branding.send_button_color }}";
+
 </script>
 
 <!-- Carga de los scripts JS externos después de definir las variables globales -->
@@ -195,7 +196,7 @@
 <script src="{{ url_for('static', filename='js/chat_filepond.js', _external=True) }}"></script>
 <script src="{{ url_for('static', filename='js/chat_history.js', _external=True) }}"></script>
 <script src="{{ url_for('static', filename='js/chat_feedback.js', _external=True) }}"></script>
-<script src="{{ url_for('static', filename='js/chat_main.js', _external=True) }}"></script>
+    <script src="{{ url_for('static', filename='js/chat_context_reload.js', _external=True) }}"></script><script src="{{ url_for('static', filename='js/chat_main.js', _external=True) }}"></script>
 
 <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/toastr.js/latest/toastr.min.css">
 <script src="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
@@ -223,67 +224,6 @@
         })
     });
 
-document.addEventListener('DOMContentLoaded', function() {
-    const reloadButton = document.getElementById('force-reload-button');
-    if (!reloadButton) return;
-
-    const originalIconClass = 'bi bi-arrow-clockwise';
-    const spinnerIconClass = 'spinner-border spinner-border-sm';
-
-    // Configuración de Toastr para que aparezca abajo a la derecha
-    toastr.options = { "positionClass": "toast-bottom-right", "preventDuplicates": true };
-
-    reloadButton.addEventListener('click', function(event) {
-        event.preventDefault();
-
-        if (reloadButton.disabled) return; // Prevenir doble clic
-
-        // 1. Deshabilitar y mostrar spinner
-        reloadButton.disabled = true;
-        const icon = reloadButton.querySelector('i');
-        icon.className = spinnerIconClass;
-        toastr.info('Iniciando recarga de contexto en segundo plano...');
-
-        // 2. Construir la URL dinámicamente
-        const company = window.companyShortName;
-        const reloadUrl = `/${company}/api/init_context_api`;
-
-        // 3. Hacer la llamada AJAX con POST
-        fetch(reloadUrl, {
-            method: 'POST',
-            headers: {
-                'Content-Type': 'application/json'
-            },
-            // Envía un cuerpo vacío o los datos necesarios
-            body: JSON.stringify({})
-        })
-        .then(response => {
-            if (!response.ok) {
-                return response.json().then(err => {
-                    throw new Error(err.error_message || `Error del servidor: ${response.status}`);
-                });
-            }
-            return response.json();
-        })
-        .then(data => {
-            if (data.status === 'OK') {
-                toastr.success(data.message || 'Contexto recargado exitosamente.');
-            } else {
-                toastr.error(data.error_message || 'Ocurrió un error desconocido.');
-            }
-        })
-        .catch(error => {
-            console.error('Error durante la recarga del contexto:', error);
-            toastr.error(error.message || 'Error de red al intentar recargar.');
-        })
-        .finally(() => {
-            // 4. Restaurar el botón
-            reloadButton.disabled = false;
-            icon.className = originalIconClass;
-        });
-    });
-});
-
 // Inicialización del modal de onboarding
 document.addEventListener('DOMContentLoaded', function () {
   const btn = document.getElementById('onboarding-button');

{iatoolkit-0.56.0 → iatoolkit-0.58.0}/src/iatoolkit/views/base_login_view.py

@@ -8,11 +8,13 @@ from flask.views import MethodView
 from flask import render_template, url_for
 from injector import inject
 from iatoolkit.services.profile_service import ProfileService
+from iatoolkit.services.auth_service import AuthService
 from iatoolkit.services.query_service import QueryService
 from iatoolkit.services.branding_service import BrandingService
 from iatoolkit.services.onboarding_service import OnboardingService
 from iatoolkit.services.prompt_manager_service import PromptService
 from iatoolkit.services.jwt_service import JWTService
+from iatoolkit.repositories.models import Company
 
 
 class BaseLoginView(MethodView):
@@ -23,6 +25,7 @@ class BaseLoginView(MethodView):
     @inject
     def __init__(self,
                  profile_service: ProfileService,
+                 auth_service: AuthService,
                  jwt_service: JWTService,
                  branding_service: BrandingService,
                  prompt_service: PromptService,
@@ -30,6 +33,7 @@ class BaseLoginView(MethodView):
                  query_service: QueryService
                  ):
         self.profile_service = profile_service
+        self.auth_service = auth_service
         self.jwt_service = jwt_service
         self.branding_service = branding_service
         self.prompt_service = prompt_service
@@ -37,44 +41,26 @@ class BaseLoginView(MethodView):
         self.query_service = query_service
 
 
-    def _handle_login_path(self, company_short_name: str, user_identifier: str, company):
+    def _handle_login_path(self,
+                           company: Company,
+                           user_identifier: str,
+                           target_url: str,
+                           redeem_token: str = None):
         """
         Centralized logic to decide between the fast path and the slow path.
         """
-        # --- Get the company branding ---
+        # --- Get the company branding and onboarding_cards
         branding_data = self.branding_service.get_company_branding(company)
+        onboarding_cards = self.onboarding_service.get_onboarding_cards(company)
+        company_short_name = company.short_name
 
         # this service decides is the context needs to be rebuilt or not
         prep_result = self.query_service.prepare_context(
-            company_short_name=company_short_name, user_identifier=user_identifier
+            company_short_name=company.short_name, user_identifier=user_identifier
         )
 
-        # generate continuation token for external login
-        redeem_token = ''
-        if self.__class__.__name__ == 'ExternalLoginView':
-            redeem_token = self.jwt_service.generate_chat_jwt(
-                company_short_name=company_short_name,
-                user_identifier=user_identifier,
-                expires_delta_seconds=300
-            )
-
-            if not redeem_token:
-                return "Error al generar el redeem_token para login externo.", 500
-
         if prep_result.get('rebuild_needed'):
             # --- SLOW PATH: Render the loading shell ---
-            onboarding_cards = self.onboarding_service.get_onboarding_cards(company)
-
-            # callback url to call when the context finish loading
-            if redeem_token:
-                target_url = url_for('finalize_with_token',
-                                     company_short_name=company_short_name,
-                                     token=redeem_token,
-                                     _external=True)
-            else:
-                target_url = url_for('finalize_no_token',
-                                     company_short_name=company_short_name,
-                                     _external=True)
             return render_template(
                 "onboarding_shell.html",
                 iframe_src_url=target_url,
@@ -84,13 +70,12 @@ class BaseLoginView(MethodView):
         else:
             # --- FAST PATH: Render the chat page directly ---
             prompts = self.prompt_service.get_user_prompts(company_short_name)
-            onboarding_cards = self.onboarding_service.get_onboarding_cards(company)
             return render_template(
                 "chat.html",
                 company_short_name=company_short_name,
                 user_identifier=user_identifier,
-                branding=branding_data,
                 prompts=prompts,
+                branding=branding_data,
                 onboarding_cards=onboarding_cards,
                 redeem_token=redeem_token
             )

iatoolkit-0.58.0/src/iatoolkit/views/external_login_view.py

@@ -0,0 +1,83 @@
+# Copyright (c) 2024 Fernando Libedinsky
+# Product: IAToolkit
+#
+# IAToolkit is open source software.
+
+import os
+import logging
+from flask import request, jsonify, url_for
+from injector import inject
+from iatoolkit.views.base_login_view import BaseLoginView
+
+# Importar los servicios que necesita la clase base
+from iatoolkit.services.profile_service import ProfileService
+from iatoolkit.services.jwt_service import JWTService
+
+class ExternalLoginView(BaseLoginView):
+    """
+    Handles login for external users via API.
+    Authenticates and then delegates the path decision (fast/slow) to the base class.
+    """
+    def post(self, company_short_name: str):
+        data = request.get_json()
+        if not data or 'user_identifier' not in data:
+            return jsonify({"error": "Falta user_identifier"}), 400
+
+        company = self.profile_service.get_company_by_short_name(company_short_name)
+        if not company:
+            return jsonify({"error": "Empresa no encontrada"}), 404
+
+        user_identifier = data.get('user_identifier')
+        if not user_identifier:
+            return jsonify({"error": "missing user_identifier"}), 404
+
+        # 1. Authenticate the API call.
+        auth_response = self.auth_service.verify()
+        if not auth_response.get("success"):
+            return jsonify(auth_response), 401
+
+        # 2. Create the external user session.
+        self.profile_service.create_external_user_profile_context(company, user_identifier)
+
+        # 3. create a redeem_token for create session at the end of the process
+        redeem_token = self.jwt_service.generate_chat_jwt(
+            company_short_name=company_short_name,
+            user_identifier=user_identifier,
+            expires_delta_seconds=300
+        )
+
+        if not redeem_token:
+            return jsonify({"error": "Error al generar el redeem_token para login externo."}), 403
+
+        # 4. define URL to call when slow path is finished
+        target_url = url_for('finalize_with_token',
+                             company_short_name=company_short_name,
+                             token=redeem_token,
+                             _external=True)
+
+        # 5. Delegate the path decision to the centralized logic.
+        try:
+            return self._handle_login_path(company, user_identifier, target_url, redeem_token)
+        except Exception as e:
+            logging.exception(f"Error processing external login path for {company_short_name}/{user_identifier}: {e}")
+            return jsonify({"error": f"Internal server error while starting chat. {str(e)}"}), 500
+
+
+class RedeemTokenApiView(BaseLoginView):
+    # this endpoint is only used ONLY by chat_main.js to redeem a chat token
+    def post(self, company_short_name: str):
+        data = request.get_json()
+        if not data or 'token' not in data:
+            return jsonify({"error": "Falta token de validación"}), 400
+
+        # get the token and validate with auth service
+        token = data.get('token')
+        redeem_result = self.auth_service.redeem_token_for_session(
+            company_short_name=company_short_name,
+            token=token
+        )
+
+        if not redeem_result['success']:
+            return {"error": redeem_result['error']}, 401
+
+        return {"status": "ok"}, 200