mirror/PrivateCaptcha
1
0
Fork 0
mirror of https://github.com/PrivateCaptcha/PrivateCaptcha.git synced 2026-04-26 14:58:46 -05:00
Code Issues Packages Projects Releases Wiki Activity

Enforce user limiter also for API key middleware

Browse Source
This commit is contained in:
Taras Kushnir
2025-08-16 10:54:24 +03:00
parent 6c76c34df0
commit a68b60429a
2 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
pkg/api/middlewares.go
+7
View File
@@ -363,6 +363,13 @@ func (am *AuthMiddleware) APIKey(keyFunc func(r *http.Request) string) func(http
http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
return
}
// if user is not an active subscriber, their properties and orgs might still exist but should not allow API
if softRestriction, err := am.Limiter.Evaluate(ctx, apiKey.UserID.Int32); (err == nil) && !softRestriction {
http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
return
}
ctx = context.WithValue(ctx, common.APIKeyContextKey, apiKey)
} else {
ctx = context.WithValue(ctx, common.SecretContextKey, secret)
pkg/api/server.go
+1
View File
@@ -88,6 +88,7 @@ func (a *apiKeyOwnerSource) apiKey(ctx context.Context) (*dbgen.APIKey, error) {
if secret, ok := ctx.Value(common.SecretContextKey).(string); ok && (len(secret) > 0) {
// this is the "postponed" DB access mentioned in APIKey() middleware
// NOTE: here we do NOT verify user's subscription validity, it's done only in middleware
key, err := a.Store.Impl().RetrieveAPIKey(ctx, secret)
if err != nil {
a.cachedKey = key