refactor: ensure only a given install can access its access tokens with the app-install-get-access-token route
This commit is contained in:
parent
d962eb5304
commit
346849cc8c
|
@ -15,6 +15,7 @@ import (
|
|||
"gorm.io/gorm"
|
||||
"io"
|
||||
"net/http"
|
||||
"strconv"
|
||||
"strings"
|
||||
)
|
||||
|
||||
|
@ -128,6 +129,21 @@ func githubRestVerifyMiddleware(db *gorm.DB) mux.MiddlewareFunc {
|
|||
http.Error(w, err.Error(), http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
if mux.CurrentRoute(r).GetName() == "app-install-get-access-token" {
|
||||
installId := mux.Vars(r)["installation_id"]
|
||||
|
||||
installIdInt, err := strconv.Atoi(installId)
|
||||
if err != nil {
|
||||
http.Error(w, "Invalid Install", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
if appId != uint(installIdInt) {
|
||||
http.Error(w, "Invalid Install", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
addAuthStatusToRequestServ(true, r, w, next)
|
||||
|
|
Loading…
Reference in New Issue