usememos/memos
1
1
Fork 0
mirror of https://github.com/usememos/memos.git synced 2024-11-11 01:12:40 +08:00
Code Issues Projects Releases Packages Wiki Activity

fix: validate username before create token (#2439)

Browse source 
Validate username before create token
This commit is contained in:
Athurg Gooth 2023-10-25 12:05:44 +08:00 committed by GitHub
parent 043357d7dc
commit 064c930aed
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
api/v2/user_service.go
View file

@ -231,7 +231,22 @@ func (s *UserService) CreateUserAccessToken(ctx context.Context, request *apiv2p
if request.ExpiresAt != nil { if request.ExpiresAt != nil {
expiresAt = request.ExpiresAt.AsTime() expiresAt = request.ExpiresAt.AsTime()
} }
accessToken, err := auth.GenerateAccessToken(user.Username, user.ID, expiresAt, []byte(s.Secret))
// Create access token for other users need to be verified.
if user.Username != request.Username {
// Normal users can only create access tokens for others.
if user.Role == store.RoleUser {
return nil, status.Errorf(codes.PermissionDenied, "permission denied")
}
// The request user must be exist.
requestUser, err := s.Store.GetUser(ctx, &store.FindUser{Username: &request.Username})
if requestUser == nil || err != nil {
return nil, status.Errorf(codes.NotFound, "fail to find user %s", request.Username)
}
}
accessToken, err := auth.GenerateAccessToken(request.Username, user.ID, expiresAt, []byte(s.Secret))
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to generate access token: %v", err) return nil, status.Errorf(codes.Internal, "failed to generate access token: %v", err)
} }