From 346849cc8c8f5f358850b9051622edc97d5eefc7 Mon Sep 17 00:00:00 2001 From: Derrick Hammer Date: Mon, 12 Feb 2024 00:18:52 -0500 Subject: [PATCH] refactor: ensure only a given install can access its access tokens with the app-install-get-access-token route --- api/middleware.go | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/api/middleware.go b/api/middleware.go index 686ba4f..a0ac80c 100644 --- a/api/middleware.go +++ b/api/middleware.go @@ -15,6 +15,7 @@ import ( "gorm.io/gorm" "io" "net/http" + "strconv" "strings" ) @@ -128,6 +129,21 @@ func githubRestVerifyMiddleware(db *gorm.DB) mux.MiddlewareFunc { http.Error(w, err.Error(), http.StatusBadRequest) return } + + if mux.CurrentRoute(r).GetName() == "app-install-get-access-token" { + installId := mux.Vars(r)["installation_id"] + + installIdInt, err := strconv.Atoi(installId) + if err != nil { + http.Error(w, "Invalid Install", http.StatusUnauthorized) + return + } + + if appId != uint(installIdInt) { + http.Error(w, "Invalid Install", http.StatusUnauthorized) + return + } + } } addAuthStatusToRequestServ(true, r, w, next)