From 064c930aede8d3e973ce442d9197d4a13d4c06b6 Mon Sep 17 00:00:00 2001
From: Athurg Gooth <athurg@gooth.org>
Date: Wed, 25 Oct 2023 12:05:44 +0800
Subject: [PATCH] fix: validate username before create token (#2439)

Validate username before create token
---
 api/v2/user_service.go | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/api/v2/user_service.go b/api/v2/user_service.go
index 9d2cda26..a3b8ca8f 100644
--- a/api/v2/user_service.go
+++ b/api/v2/user_service.go
@@ -231,7 +231,22 @@ func (s *UserService) CreateUserAccessToken(ctx context.Context, request *apiv2p
 	if request.ExpiresAt != nil {
 		expiresAt = request.ExpiresAt.AsTime()
 	}
-	accessToken, err := auth.GenerateAccessToken(user.Username, user.ID, expiresAt, []byte(s.Secret))
+
+	// Create access token for other users need to be verified.
+	if user.Username != request.Username {
+		// Normal users can only create access tokens for others.
+		if user.Role == store.RoleUser {
+			return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+		}
+
+		// The request user must be exist.
+		requestUser, err := s.Store.GetUser(ctx, &store.FindUser{Username: &request.Username})
+		if requestUser == nil || err != nil {
+			return nil, status.Errorf(codes.NotFound, "fail to find user %s", request.Username)
+		}
+	}
+
+	accessToken, err := auth.GenerateAccessToken(request.Username, user.ID, expiresAt, []byte(s.Secret))
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to generate access token: %v", err)
 	}