github
/
halo
mirror of https://github.com/halo-dev/halo
1
0
Fork 0
Code Issues Releases Wiki Activity

Fix the problem that OAuth2 users cannot create PATs (#4701) 

#### What type of PR is this?

/kind bug
/area core

#### What this PR does / why we need it:

If someone logs in Halo via OAuth2, they will be prohibited from creating PATs. See https://github.com/halo-dev/halo/issues/4697 for more.

This PR also checks for UsernamePasswordAuthenticationToken while checking whether the current session was created by a real user.

#### Which issue(s) this PR fixes:

Fixes https://github.com/halo-dev/halo/issues/4697

#### Does this PR introduce a user-facing change?

```release-note
None
```
pull/4708/head
John Niang 2023-10-09 23:18:28 -05:00 committed by GitHub
parent 1ff1b4f2a5
commit 63be25173d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
application/src/main/java/run/halo/app/security/authentication/pat/impl/UserScopedPatHandlerImpl.java
View File

@ -11,11 +11,11 @@ import java.util.HashMap;
import java.util.List;
import java.util.Objects;
import java.util.function.Predicate;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.context.ReactiveSecurityContextHolder;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
import org.springframework.security.oauth2.jwt.JwsHeader;
import org.springframework.security.oauth2.jwt.JwtClaimsSet;
@ -86,10 +86,9 @@ public class UserScopedPatHandlerImpl implements UserScopedPatHandler {
}
private static Mono<Authentication> mustBeRealUser(Mono<Authentication> authentication) {
return authentication.filter(auth -> auth.getPrincipal() instanceof UserDetails)
return authentication.filter(UsernamePasswordAuthenticationToken.class::isInstance)
// Non-username-password authentication could not access the API at any time.
.switchIfEmpty(
Mono.defer(() -> Mono.error(new AccessDeniedException())));
.switchIfEmpty(Mono.error(AccessDeniedException::new));
}
@Override