1 files changed, 7 insertions, 0 deletions
diff --git a/app/middleware/auth.go b/app/middleware/auth.go
index 58b10a7..7cef4d7 100644
--- a/app/middleware/auth.go
+++ b/app/middleware/auth.go
@@ -187,6 +187,13 @@ func (m *AuthenticationMiddleware) HandleCompleteLogin(c echo.Context) error {
                return echo.ErrUnauthorized
        }
+        // Service users should only be allowed to submit self-signed JWTs. A
+        // service user should never be able to use GitHub auth.
+        if dbUser.IsService {
+                c.Logger().Errorf("Service user %s attempted to use GitHub auth", user)
+                return echo.ErrUnauthorized
+        }
        jwt, sk, err := m.JWTManager.CreateForUser(dbUser)
        if err != nil {
                return echo.ErrInternalServerError

diff --git a/app/middleware/auth.go b/app/middleware/auth.go index 58b10a7..7cef4d7 100644 --- a/app/middleware/auth.go +++ b/app/middleware/auth.go
@@ -187,6 +187,13 @@ func (m *AuthenticationMiddleware) HandleCompleteLogin(c echo.Context) error {
187	return echo.ErrUnauthorized	187	return echo.ErrUnauthorized
188	}	188	}
189		189
		190	// Service users should only be allowed to submit self-signed JWTs. A
		191	// service user should never be able to use GitHub auth.
		192	if dbUser.IsService {
		193	c.Logger().Errorf("Service user %s attempted to use GitHub auth", user)
		194	return echo.ErrUnauthorized
		195	}
		196
190	jwt, sk, err := m.JWTManager.CreateForUser(dbUser)	197	jwt, sk, err := m.JWTManager.CreateForUser(dbUser)
191	if err != nil {	198	if err != nil {
192	return echo.ErrInternalServerError	199	return echo.ErrInternalServerError