From 7ba9e94bae1cbeba7fc7e390d09e2821ba46b996 Mon Sep 17 00:00:00 2001
From: Mike Crute <mike@crute.us>
Date: Wed, 24 Nov 2021 08:41:25 -0800
Subject: Restrict service users

---
 app/middleware/auth.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/app/middleware/auth.go b/app/middleware/auth.go
index 58b10a7..7cef4d7 100644
--- a/app/middleware/auth.go
+++ b/app/middleware/auth.go
@@ -187,6 +187,13 @@ func (m *AuthenticationMiddleware) HandleCompleteLogin(c echo.Context) error {
 		return echo.ErrUnauthorized
 	}
 
+	// Service users should only be allowed to submit self-signed JWTs. A
+	// service user should never be able to use GitHub auth.
+	if dbUser.IsService {
+		c.Logger().Errorf("Service user %s attempted to use GitHub auth", user)
+		return echo.ErrUnauthorized
+	}
+
 	jwt, sk, err := m.JWTManager.CreateForUser(dbUser)
 	if err != nil {
 		return echo.ErrInternalServerError
-- 
cgit v1.2.3