1 年之前 · e8df1b6e4c
--- a/internal/httpd/httpd_test.go
+++ b/internal/httpd/httpd_test.go
@@ -14965,6 +14965,13 @@ func TestUserAPIKey(t *testing.T) {
 
				 	apiKey, _, err = httpdtest.AddAPIKey(apiKey, http.StatusCreated)
			
 
				 	assert.NoError(t, err)
			
 
				 
			
 
				+	adminAPIKey := dataprovider.APIKey{
			
 
				+		Name:  "testadminkey",
			
 
				+		Scope: dataprovider.APIKeyScopeAdmin,
			
 
				+	}
			
 
				+	adminAPIKey, _, err = httpdtest.AddAPIKey(adminAPIKey, http.StatusCreated)
			
 
				+	assert.NoError(t, err)
			
 
				+
			
 
				 	body := new(bytes.Buffer)
			
 
				 	writer := multipart.NewWriter(body)
			
 
				 	part, err := writer.CreateFormFile("filenames", "filenametest")
			
@@ -14993,6 +15000,12 @@ func TestUserAPIKey(t *testing.T) {
 
				 	assert.NoError(t, err)
			
 
				 	assert.Len(t, dirEntries, 1)
			
 
				 
			
 
				+	req, err = http.NewRequest(http.MethodGet, userDirsPath, nil)
			
 
				+	assert.NoError(t, err)
			
 
				+	setAPIKeyForReq(req, adminAPIKey.Key, user.Username)
			
 
				+	rr = executeRequest(req)
			
 
				+	checkResponseCode(t, http.StatusForbidden, rr)
			
 
				+
			
 
				 	user.Status = 0
			
 
				 	user, _, err = httpdtest.UpdateUser(user, http.StatusOK, "")
			
 
				 	assert.NoError(t, err)
			
@@ -15069,6 +15082,9 @@ func TestUserAPIKey(t *testing.T) {
 
				 
			
 
				 	_, err = httpdtest.RemoveAPIKey(apiKeyNew, http.StatusOK)
			
 
				 	assert.NoError(t, err)
			
 
				+
			
 
				+	_, err = httpdtest.RemoveAPIKey(adminAPIKey, http.StatusOK)
			
 
				+	assert.NoError(t, err)
			
 
				 }
			
 
				 
			
 
				 func TestWebClientViewPDF(t *testing.T) {
			
--- a/internal/httpd/middleware.go
+++ b/internal/httpd/middleware.go
@@ -384,6 +384,13 @@ func checkAPIKeyAuth(tokenAuth *jwtauth.JWTAuth, scope dataprovider.APIKeyScope)
 
				 				sendAPIResponse(w, r, errors.New("the provided api key is not valid"), "", http.StatusBadRequest)
			
 
				 				return
			
 
				 			}
			
 
				+			if k.Scope != scope {
			
 
				+				handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), dataprovider.ErrInvalidCredentials) //nolint:errcheck
			
 
				+				logger.Debug(logSender, "", "unable to authenticate api key %q: invalid scope: got %d, wnated: %d",
			
 
				+					apiKey, k.Scope, scope)
			
 
				+				sendAPIResponse(w, r, fmt.Errorf("the provided api key is invalid for this request"), "", http.StatusForbidden)
			
 
				+				return
			
 
				+			}
			
 
				 			if err := k.Authenticate(key); err != nil {
			
 
				 				handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), dataprovider.ErrInvalidCredentials) //nolint:errcheck
			
 
				 				logger.Debug(logSender, "", "unable to authenticate api key %q: %v", apiKey, err)