fix(audit): only attribute the logout event to user tokens

Link share JWTs carry no sid claim so they returned before the event
fired, but the id claim was read without checking the token type. Make
the guard explicit so a link share id can never appear as a user id.
This commit is contained in:
kolaente 2026-06-11 21:33:43 +02:00 committed by kolaente
parent 5d7812a093
commit 3291556821
1 changed files with 6 additions and 2 deletions

View File

@ -243,8 +243,12 @@ func Logout(c *echo.Context) (err error) {
if jwtinf, ok := raw.(*jwt.Token); ok {
if claims, ok := jwtinf.Claims.(jwt.MapClaims); ok {
sid, _ = claims["sid"].(string)
if id, ok := claims["id"].(float64); ok {
userID = int64(id)
// Only user tokens carry a sid, but check the type explicitly
// so a link share id can never be logged as a user id.
if typ, ok := claims["type"].(float64); ok && int(typ) == auth.AuthTypeUser {
if id, ok := claims["id"].(float64); ok {
userID = int64(id)
}
}
}
}