fix(httpapi): bind session token to current AuthUser; add negative auth tests

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01MMHQTtnQtQqL8muAXHr9kd
This commit is contained in:
2026-07-01 18:24:35 +07:00
parent cae124931d
commit 839febb83a
2 changed files with 40 additions and 1 deletions
+2 -1
View File
@@ -58,7 +58,8 @@ func (s *Server) requireAuth(next http.Handler) http.Handler {
http.Error(w, "unauthorized", http.StatusUnauthorized)
return
}
if _, ok := crypto.VerifySession(s.cfg.SessionSecret, c.Value, time.Now()); !ok {
user, ok := crypto.VerifySession(s.cfg.SessionSecret, c.Value, time.Now())
if !ok || user != s.cfg.AuthUser {
http.Error(w, "unauthorized", http.StatusUnauthorized)
return
}