diff options
author | Mike Crute <mike@crute.us> | 2021-11-24 08:41:25 -0800 |
---|---|---|
committer | Mike Crute <mike@crute.us> | 2021-11-24 08:41:25 -0800 |
commit | 7ba9e94bae1cbeba7fc7e390d09e2821ba46b996 (patch) | |
tree | c01348acc25806c7925fe270a5c3aee406b5e9d6 /app | |
parent | fdeacfd45806e9a5773661381ed8b3d4dee9bc9c (diff) | |
download | cloud-identity-broker-7ba9e94bae1cbeba7fc7e390d09e2821ba46b996.tar.bz2 cloud-identity-broker-7ba9e94bae1cbeba7fc7e390d09e2821ba46b996.tar.xz cloud-identity-broker-7ba9e94bae1cbeba7fc7e390d09e2821ba46b996.zip |
Restrict service users
Diffstat (limited to 'app')
-rw-r--r-- | app/middleware/auth.go | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/app/middleware/auth.go b/app/middleware/auth.go index 58b10a7..7cef4d7 100644 --- a/app/middleware/auth.go +++ b/app/middleware/auth.go | |||
@@ -187,6 +187,13 @@ func (m *AuthenticationMiddleware) HandleCompleteLogin(c echo.Context) error { | |||
187 | return echo.ErrUnauthorized | 187 | return echo.ErrUnauthorized |
188 | } | 188 | } |
189 | 189 | ||
190 | // Service users should only be allowed to submit self-signed JWTs. A | ||
191 | // service user should never be able to use GitHub auth. | ||
192 | if dbUser.IsService { | ||
193 | c.Logger().Errorf("Service user %s attempted to use GitHub auth", user) | ||
194 | return echo.ErrUnauthorized | ||
195 | } | ||
196 | |||
190 | jwt, sk, err := m.JWTManager.CreateForUser(dbUser) | 197 | jwt, sk, err := m.JWTManager.CreateForUser(dbUser) |
191 | if err != nil { | 198 | if err != nil { |
192 | return echo.ErrInternalServerError | 199 | return echo.ErrInternalServerError |