fix(audit): only attribute the logout event to user tokens
Link share JWTs carry no sid claim so they returned before the event fired, but the id claim was read without checking the token type. Make the guard explicit so a link share id can never appear as a user id.
This commit is contained in:
parent
5d7812a093
commit
3291556821
|
|
@ -243,8 +243,12 @@ func Logout(c *echo.Context) (err error) {
|
||||||
if jwtinf, ok := raw.(*jwt.Token); ok {
|
if jwtinf, ok := raw.(*jwt.Token); ok {
|
||||||
if claims, ok := jwtinf.Claims.(jwt.MapClaims); ok {
|
if claims, ok := jwtinf.Claims.(jwt.MapClaims); ok {
|
||||||
sid, _ = claims["sid"].(string)
|
sid, _ = claims["sid"].(string)
|
||||||
if id, ok := claims["id"].(float64); ok {
|
// Only user tokens carry a sid, but check the type explicitly
|
||||||
userID = int64(id)
|
// so a link share id can never be logged as a user id.
|
||||||
|
if typ, ok := claims["type"].(float64); ok && int(typ) == auth.AuthTypeUser {
|
||||||
|
if id, ok := claims["id"].(float64); ok {
|
||||||
|
userID = int64(id)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue