fix(auth): reject disabled/locked users in API token middleware
checkAPITokenAndPutItInContext now returns 401 Unauthorized when the token owner's account is disabled or locked, instead of a 500 error. Also fixes the API token test to match the actual middleware behavior.
This commit is contained in:
parent
525f5ee407
commit
cd6148511a
|
|
@ -92,6 +92,10 @@ func checkAPITokenAndPutItInContext(tokenHeaderValue string, c *echo.Context) er
|
|||
}
|
||||
|
||||
u, err := user.GetUserByID(s, token.OwnerID)
|
||||
if user.IsErrAccountDisabled(err) || user.IsErrAccountLocked(err) {
|
||||
log.Debugf("[auth] Tried authenticating with token %d but the owner's account is disabled or locked", token.ID)
|
||||
return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
|
||||
}
|
||||
if err != nil {
|
||||
return echo.NewHTTPError(http.StatusInternalServerError, "Internal Server Error").Wrap(err)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -104,18 +104,13 @@ func TestAPIToken(t *testing.T) {
|
|||
res := httptest.NewRecorder()
|
||||
c := e.NewContext(req, res)
|
||||
h := routes.SetupTokenMiddleware()(func(c *echo.Context) error {
|
||||
u, err := auth.GetAuthFromClaims(c)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return c.JSON(http.StatusOK, u)
|
||||
return c.String(http.StatusOK, "test")
|
||||
})
|
||||
|
||||
req.Header.Set(echo.HeaderAuthorization, "Bearer tk_disabled_user_test_token_000000001234abcd") // Token 4 (disabled user 17)
|
||||
err = h(c)
|
||||
require.Error(t, err)
|
||||
assert.True(t, user.IsErrAccountDisabled(err), "expected ErrAccountDisabled, got: %v", err)
|
||||
require.NoError(t, h(c))
|
||||
assert.Equal(t, http.StatusUnauthorized, res.Code)
|
||||
assert.Contains(t, res.Body.String(), `"code":11`)
|
||||
})
|
||||
t.Run("jwt", func(t *testing.T) {
|
||||
e, err := setupTestEnv()
|
||||
|
|
|
|||
Loading…
Reference in New Issue