From 63be25173d54a7c926cc5f0b6dc72c07e372a29e Mon Sep 17 00:00:00 2001
From: John Niang <johnniang@fastmail.com>
Date: Mon, 9 Oct 2023 23:18:28 -0500
Subject: [PATCH] Fix the problem that OAuth2 users cannot create PATs  (#4701)

#### What type of PR is this?

/kind bug
/area core

#### What this PR does / why we need it:

If someone logs in Halo via OAuth2, they will be prohibited from creating PATs. See https://github.com/halo-dev/halo/issues/4697 for more.

This PR also checks for UsernamePasswordAuthenticationToken while checking whether the current session was created by a real user.

#### Which issue(s) this PR fixes:

Fixes https://github.com/halo-dev/halo/issues/4697

#### Does this PR introduce a user-facing change?

```release-note
None
```
---
 .../authentication/pat/impl/UserScopedPatHandlerImpl.java  | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/application/src/main/java/run/halo/app/security/authentication/pat/impl/UserScopedPatHandlerImpl.java b/application/src/main/java/run/halo/app/security/authentication/pat/impl/UserScopedPatHandlerImpl.java
index 855334726..833862c5a 100644
--- a/application/src/main/java/run/halo/app/security/authentication/pat/impl/UserScopedPatHandlerImpl.java
+++ b/application/src/main/java/run/halo/app/security/authentication/pat/impl/UserScopedPatHandlerImpl.java
@@ -11,11 +11,11 @@ import java.util.HashMap;
 import java.util.List;
 import java.util.Objects;
 import java.util.function.Predicate;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.GrantedAuthority;
 import org.springframework.security.core.context.ReactiveSecurityContextHolder;
 import org.springframework.security.core.context.SecurityContext;
-import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.security.oauth2.jose.jws.SignatureAlgorithm;
 import org.springframework.security.oauth2.jwt.JwsHeader;
 import org.springframework.security.oauth2.jwt.JwtClaimsSet;
@@ -86,10 +86,9 @@ public class UserScopedPatHandlerImpl implements UserScopedPatHandler {
     }
 
     private static Mono<Authentication> mustBeRealUser(Mono<Authentication> authentication) {
-        return authentication.filter(auth -> auth.getPrincipal() instanceof UserDetails)
+        return authentication.filter(UsernamePasswordAuthenticationToken.class::isInstance)
             // Non-username-password authentication could not access the API at any time.
-            .switchIfEmpty(
-                Mono.defer(() -> Mono.error(new AccessDeniedException())));
+            .switchIfEmpty(Mono.error(AccessDeniedException::new));
     }
 
     @Override