refactor: ensure only a given install can access its access tokens with the app-install-get-access-token route

This commit is contained in:
Derrick Hammer 2024-02-12 00:18:52 -05:00
parent d962eb5304
commit 346849cc8c
Signed by: pcfreak30
GPG Key ID: C997C339BE476FF2
1 changed files with 16 additions and 0 deletions

View File

@ -15,6 +15,7 @@ import (
"gorm.io/gorm"
"io"
"net/http"
"strconv"
"strings"
)
@ -128,6 +129,21 @@ func githubRestVerifyMiddleware(db *gorm.DB) mux.MiddlewareFunc {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
if mux.CurrentRoute(r).GetName() == "app-install-get-access-token" {
installId := mux.Vars(r)["installation_id"]
installIdInt, err := strconv.Atoi(installId)
if err != nil {
http.Error(w, "Invalid Install", http.StatusUnauthorized)
return
}
if appId != uint(installIdInt) {
http.Error(w, "Invalid Install", http.StatusUnauthorized)
return
}
}
}
addAuthStatusToRequestServ(true, r, w, next)