From aaaf252d4c98877362e79220401bbf88977d249e Mon Sep 17 00:00:00 2001
From: jarek <jkrochmalski@gmail.com>
Date: Sun, 19 Apr 2026 10:12:59 +0200
Subject: [PATCH] Bearer token authentication fails with enterprise license
 active

---
 src/lib/server/authorize.ts                | 12 ++++++------
 src/routes/api/auth/tokens/[id]/+server.ts |  7 +++++++
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/src/lib/server/authorize.ts b/src/lib/server/authorize.ts
index 9c9ac71..968b198 100644
--- a/src/lib/server/authorize.ts
+++ b/src/lib/server/authorize.ts
@@ -159,8 +159,8 @@ export async function authorize(cookies: Cookies): Promise<AuthorizationContext>
 			// Must be authenticated
 			if (!user) return false;
 
-			// Admins can access all environments
-			if (user.isAdmin) return true;
+			// Admins can access all environments (use fresh isAdmin, not cached user.isAdmin)
+			if (isAdmin) return true;
 
 			// In free edition, all authenticated users have full access
 			if (!enterprise) return true;
@@ -176,8 +176,8 @@ export async function authorize(cookies: Cookies): Promise<AuthorizationContext>
 			// Must be authenticated
 			if (!user) return [];
 
-			// Admins can access all environments
-			if (user.isAdmin) return null;
+			// Admins can access all environments (use fresh isAdmin, not cached user.isAdmin)
+			if (isAdmin) return null;
 
 			// In free edition, all authenticated users have full access
 			if (!enterprise) return null;
@@ -193,8 +193,8 @@ export async function authorize(cookies: Cookies): Promise<AuthorizationContext>
 			// Must be authenticated
 			if (!user) return false;
 
-			// Admins can always manage users
-			if (user.isAdmin) return true;
+			// Admins can always manage users (use fresh isAdmin, not cached user.isAdmin)
+			if (isAdmin) return true;
 
 			// In free edition, all authenticated users have full access
 			if (!enterprise) return true;
diff --git a/src/routes/api/auth/tokens/[id]/+server.ts b/src/routes/api/auth/tokens/[id]/+server.ts
index 8620762..719f3bc 100644
--- a/src/routes/api/auth/tokens/[id]/+server.ts
+++ b/src/routes/api/auth/tokens/[id]/+server.ts
@@ -3,6 +3,7 @@ import type { RequestHandler } from './$types';
 import { authorize } from '$lib/server/authorize';
 import { revokeApiToken } from '$lib/server/api-tokens';
 import { isAuthEnabled } from '$lib/server/auth';
+import { getRequestContext } from '$lib/server/request-context';
 import { audit } from '$lib/server/audit';
 
 /**
@@ -16,6 +17,12 @@ export const DELETE: RequestHandler = async (event) => {
 		return json({ error: 'Authentication is not enabled' }, { status: 400 });
 	}
 
+	// Bearer tokens cannot manage tokens (prevent leaked token from revoking others)
+	const reqCtx = getRequestContext();
+	if (reqCtx?.authMethod === 'bearer') {
+		return json({ error: 'Token management requires a cookie session' }, { status: 403 });
+	}
+
 	const auth = await authorize(cookies);
 	if (!auth.isAuthenticated || !auth.user) {
 		return json({ error: 'Authentication required' }, { status: 401 });