feat(api tokens): check if a provided token matched a hashed on in the database

2023-08-31 21:39:26 +02:00
parent c88cbaa973
commit fb2a1c59db
3 changed files with 57 additions and 4 deletions
--- a/pkg/modules/auth/auth.go
+++ b/pkg/modules/auth/auth.go
@ -17,6 +17,8 @@
 package auth

 import (
+	"code.vikunja.io/api/pkg/db"
+	"fmt"
 	"net/http"
 	"time"

@ -101,7 +103,20 @@ func NewLinkShareJWTAuthtoken(share *models.LinkSharing) (token string, err erro

 // GetAuthFromClaims returns a web.Auth object from jwt claims
 func GetAuthFromClaims(c echo.Context) (a web.Auth, err error) {
-	jwtinf := c.Get("user").(*jwt.Token)
+	// check if we have a token in context and use it if that's the case
+	if c.Get("api_token") != nil {
+		apiToken := c.Get("api_token").(*models.APIToken)
+		u, err := user.GetUserByID(db.NewSession(), apiToken.OwnerID)
+		if err != nil {
+			return nil, err
+		}
+		return u, nil
+	}
+
+	jwtinf, is := c.Get("user").(*jwt.Token)
+	if !is {
+		return nil, fmt.Errorf("user in context is not jwt token")
+	}
 	claims := jwtinf.Claims.(jwt.MapClaims)
 	typ := int(claims["type"].(float64))
 	if typ == AuthTypeLinkShare && config.ServiceEnableLinkSharing.GetBool() {