Features: 1) None;

Fixes: 1) Replace direct user access with UUID-based lookup in token mutations;

Extra: 1) Updated all three token mutation methods to use User.objects.get by UUID; 2) Added consistent formatting and indentation.

engine/vibes_auth/graphene/mutations.py

@@ -205,7 +205,7 @@ class ObtainJSONWebToken(BaseMutation):
         try:
             serializer.is_valid(raise_exception=True)
             return ObtainJSONWebToken(
-                user=serializer.validated_data["user"],
+                user=User.objects.get(serializer.validated_data["user"]["uuid"]),
                 refresh_token=serializer.validated_data["refresh"],
                 access_token=serializer.validated_data["access"],
             )
@@ -226,7 +226,7 @@ class RefreshJSONWebToken(BaseMutation):
         try:
             serializer.is_valid(raise_exception=True)
             return RefreshJSONWebToken(
-                user=serializer.validated_data["user"],
+                user=User.objects.get(serializer.validated_data["user"]["uuid"]),
                 access_token=serializer.validated_data["access"],
                 refresh_token=serializer.validated_data["refresh"],
             )
@@ -247,7 +247,9 @@ class VerifyJSONWebToken(BaseMutation):
         with suppress(Exception):
             serializer.is_valid(raise_exception=True)
             # noinspection PyTypeChecker
-            return VerifyJSONWebToken(token_is_valid=True, user=serializer.validated_data["user"])
+            return VerifyJSONWebToken(
+                token_is_valid=True, user=User.objects.get(serializer.validated_data["user"]["uuid"])
+            )
         detail = traceback.format_exc() if settings.DEBUG else ""
         # noinspection PyTypeChecker
         return VerifyJSONWebToken(token_is_valid=False, user=None, detail=detail)