Reuse user from session when issuing oa2 token

This way we keep user's roles in case the list was modified by external-auth-provider role security
2022-01-25 16:59:37 +01:00 · 2022-01-25 16:59:37 +01:00 · b22a4f8ea7
commit b22a4f8ea7
parent 07440a49df
1 changed files with 4 additions and 1 deletions
--- a/auth/handlers/handle_oauth2.go
+++ b/auth/handlers/handle_oauth2.go
@ -13,6 +13,7 @@ import (

 	"github.com/lestrrat-go/jwx/jwa"
 	"github.com/lestrrat-go/jwx/jwk"
+	"github.com/spf13/cast"

 	"github.com/go-chi/jwtauth"
 	oauth2errors "github.com/go-oauth2/oauth2/v4/errors"
@ -381,7 +382,9 @@ func (h AuthHandlers) handleTokenRequest(req *request.AuthReq, client *types.Aut
 			userID = userID[:i]
 		}

-		if user, err = h.UserService.FindByAny(suCtx, userID); err != nil {
+		if req.AuthUser != nil && req.AuthUser.User != nil && req.AuthUser.User.ID == cast.ToUint64(userID) {
+			user = req.AuthUser.User
+		} else if user, err = h.UserService.FindByAny(suCtx, userID); err != nil {
 			return h.tokenError(w, fmt.Errorf("could not generate token: %v", err))
 		}