ae/notatest
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: compare claims subject (user ID) instead of token's ID

Browse Source
This commit is contained in:
ae 2025-04-01 12:19:25 +03:00
parent 2b65bf70d8
commit c5a56c8479
Signed by: ae
GPG Key ID: 995EFD5C1B532B3E
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
server/pkg/service/middleware.go
View File

@ -78,7 +78,7 @@ func ownerOnlyMiddleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
user, ok := r.Context().Value(userCtxKey{}).(*userClaims) user, ok := r.Context().Value(userCtxKey{}).(*userClaims)
requestedID := chi.URLParam(r, "id") requestedID := chi.URLParam(r, "id")
if !ok || user.ID != requestedID { if !ok || user.Subject != requestedID {
respondError(w, http.StatusForbidden, "Forbidden") respondError(w, http.StatusForbidden, "Forbidden")
return return
} }