fix(audit): only attribute the logout event to user tokens
Link share JWTs carry no sid claim so they returned before the event fired, but the id claim was read without checking the token type. Make the guard explicit so a link share id can never appear as a user id.
This commit is contained in:
parent
8af56a8303
commit
44c4461cfb
|
|
@ -243,8 +243,12 @@ func Logout(c *echo.Context) (err error) {
|
|||
if jwtinf, ok := raw.(*jwt.Token); ok {
|
||||
if claims, ok := jwtinf.Claims.(jwt.MapClaims); ok {
|
||||
sid, _ = claims["sid"].(string)
|
||||
if id, ok := claims["id"].(float64); ok {
|
||||
userID = int64(id)
|
||||
// Only user tokens carry a sid, but check the type explicitly
|
||||
// so a link share id can never be logged as a user id.
|
||||
if typ, ok := claims["type"].(float64); ok && int(typ) == auth.AuthTypeUser {
|
||||
if id, ok := claims["id"].(float64); ok {
|
||||
userID = int64(id)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue