The JWT skipper bypassed validation entirely for /token/test when the bearer was an API token, leaving "user" unset in the context. CheckToken then type-asserted it to *jwt.Token and panicked. Validate the API token in the skipper but skip the route permission check (since /token/test is not exposed in the API token route registry, no token can hold explicit permission for it). Drop the now-redundant JWT assertion in CheckToken — auth has already passed by the time the handler runs. |
||
|---|---|---|
| .. | ||
| api/v1 | ||
| caldav | ||
| admin_gate.go | ||
| api_tokens.go | ||
| error_handler.go | ||
| feature_gate.go | ||
| healthcheck.go | ||
| metrics.go | ||
| rate_limit.go | ||
| routes.go | ||
| sentry_middleware.go | ||
| static.go | ||
| validation.go | ||