fix(tokens): owner check on update and delete routes (#3899)

PATCH and DELETE /api/tokens/{id} both called require_admin but never checked that the token belonged to the requesting admin. Any admin could rename, re-scope, or delete another admin's token by ID. create_token already stamps owner on every token — update and delete just never read it. Fixed by comparing token.owner against get_current_user(request) after the 404 guard, same pattern the rest of the auth routes use. Check is skipped when current_user is falsy (AUTH_ENABLED=false / single-user mode). Fixes #3898
2026-06-17 10:15:27 -04:00 · 2026-06-11 19:04:44 +05:30
parent 4f48cfa9ae
commit a7b03398b6
2 changed files with 109 additions and 4 deletions
@@ -154,6 +154,7 @@ def setup_api_token_routes() -> APIRouter:
    @router.patch("/tokens/{token_id}")
    async def update_token(request: Request, token_id: str):
        require_admin(request)
+        current_user = get_current_user(request)
        try:
            payload = await request.json()
        except Exception:
@@ -162,6 +163,8 @@ def setup_api_token_routes() -> APIRouter:
            token = db.query(ApiToken).filter(ApiToken.id == token_id).first()
            if not token:
                raise HTTPException(404, "Token not found")
+            if current_user and token.owner != current_user:
+                raise HTTPException(403, "Not your token")
            if isinstance(payload.get("name"), str) and payload["name"].strip():
                token.name = payload["name"].strip()[:MAX_NAME_LEN]
            # Only touch scopes when the caller actually sent them. A partial
@@ -189,10 +192,14 @@ def setup_api_token_routes() -> APIRouter:
    @router.delete("/tokens/{token_id}")
    def delete_token(request: Request, token_id: str):
        require_admin(request)
+        current_user = get_current_user(request)
        with get_db_session() as db:
-            deleted = db.query(ApiToken).filter(ApiToken.id == token_id).delete()
-            if not deleted:
+            token = db.query(ApiToken).filter(ApiToken.id == token_id).first()
+            if not token:
                raise HTTPException(404, "Token not found")
+            if current_user and token.owner != current_user:
+                raise HTTPException(403, "Not your token")
+            db.delete(token)
        _invalidate_cache(request)
        return {"status": "deleted"}