lee/puter
1
0
Fork 0
mirror of https://github.com/HeyPuter/puter.git synced 2026-05-04 08:30:39 +00:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

fix(auth): add explicit check for access token suspension (#2576)

Browse Source
This commit is contained in:
Eric Dubé
2026-03-02 17:10:42 -05:00
committed by GitHub
parent c0583a9095
commit f6b9c69ce6
1 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/backend/src/middleware/configurable_auth.js
+9 -1
View File
@@ -19,6 +19,7 @@
const APIError = require('../api/APIError');
const config = require('../config');
const { LegacyTokenError } = require('../services/auth/AuthService');
const { AccessTokenActorType } = require('../services/auth/Actor');
const { Context } = require('../util/context');
const jwt = require('jsonwebtoken');
@@ -163,10 +164,17 @@ const configurable_auth = options => async (req, res, next) => {
}
context.set('user', actor.type.user);
}
if ( actor.type instanceof AccessTokenActorType ) {
// AccessTokenActorType has no .user; the effective user is the authorizer's user
const authorizerUser = actor.type.authorizer?.type?.user;
if ( authorizerUser?.suspended ) {
throw APIError.create('forbidden');
}
}
// === Populate Request ===
req.actor = actor;
req.user = actor.type.user;
req.user = actor.type.user ?? (actor.type instanceof AccessTokenActorType ? actor.type.authorizer?.type?.user : undefined);
req.token = token;
next();