From 44c4461cfb431e52a9dbf28544eeca8a8cad4d1b Mon Sep 17 00:00:00 2001 From: kolaente Date: Thu, 11 Jun 2026 21:33:43 +0200 Subject: [PATCH] fix(audit): only attribute the logout event to user tokens Link share JWTs carry no sid claim so they returned before the event fired, but the id claim was read without checking the token type. Make the guard explicit so a link share id can never appear as a user id. --- pkg/routes/api/v1/login.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pkg/routes/api/v1/login.go b/pkg/routes/api/v1/login.go index 7385ed1f6..8bcde0dcf 100644 --- a/pkg/routes/api/v1/login.go +++ b/pkg/routes/api/v1/login.go @@ -243,8 +243,12 @@ func Logout(c *echo.Context) (err error) { if jwtinf, ok := raw.(*jwt.Token); ok { if claims, ok := jwtinf.Claims.(jwt.MapClaims); ok { sid, _ = claims["sid"].(string) - if id, ok := claims["id"].(float64); ok { - userID = int64(id) + // Only user tokens carry a sid, but check the type explicitly + // so a link share id can never be logged as a user id. + if typ, ok := claims["type"].(float64); ok && int(typ) == auth.AuthTypeUser { + if id, ok := claims["id"].(float64); ok { + userID = int64(id) + } } } }