205hlab-mirrors/dockhand
2
0
Fork 0
mirror of https://github.com/Finsys/dockhand.git synced 2026-06-17 19:09:33 +03:00
Code Issues Packages Projects Releases Wiki Activity

Bearer token authentication fails with enterprise license active

Browse Source
This commit is contained in:
jarek
2026-04-19 10:12:59 +02:00
parent 1bf5dec60f
commit aaaf252d4c
2 changed files with 13 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/lib/server/authorize.ts
+6 -6
View File
@@ -159,8 +159,8 @@ export async function authorize(cookies: Cookies): Promise<AuthorizationContext>
// Must be authenticated
if (!user) return false;
// Admins can access all environments
if (user.isAdmin) return true;
// Admins can access all environments (use fresh isAdmin, not cached user.isAdmin)
if (isAdmin) return true;
// In free edition, all authenticated users have full access
if (!enterprise) return true;
@@ -176,8 +176,8 @@ export async function authorize(cookies: Cookies): Promise<AuthorizationContext>
// Must be authenticated
if (!user) return [];
// Admins can access all environments
if (user.isAdmin) return null;
// Admins can access all environments (use fresh isAdmin, not cached user.isAdmin)
if (isAdmin) return null;
// In free edition, all authenticated users have full access
if (!enterprise) return null;
@@ -193,8 +193,8 @@ export async function authorize(cookies: Cookies): Promise<AuthorizationContext>
// Must be authenticated
if (!user) return false;
// Admins can always manage users
if (user.isAdmin) return true;
// Admins can always manage users (use fresh isAdmin, not cached user.isAdmin)
if (isAdmin) return true;
// In free edition, all authenticated users have full access
if (!enterprise) return true;
src/routes/api/auth/tokens/[id]/+server.ts
+7
View File
@@ -3,6 +3,7 @@ import type { RequestHandler } from './$types';
import { authorize } from '$lib/server/authorize';
import { revokeApiToken } from '$lib/server/api-tokens';
import { isAuthEnabled } from '$lib/server/auth';
import { getRequestContext } from '$lib/server/request-context';
import { audit } from '$lib/server/audit';
/**
@@ -16,6 +17,12 @@ export const DELETE: RequestHandler = async (event) => {
return json({ error: 'Authentication is not enabled' }, { status: 400 });
}
// Bearer tokens cannot manage tokens (prevent leaked token from revoking others)
const reqCtx = getRequestContext();
if (reqCtx?.authMethod === 'bearer') {
return json({ error: 'Token management requires a cookie session' }, { status: 403 });
}
const auth = await authorize(cookies);
if (!auth.isAuthenticated || !auth.user) {
return json({ error: 'Authentication required' }, { status: 401 });