From 35e2a68a988c90392427eaf7beb0c3f4b03cc313 Mon Sep 17 00:00:00 2001 From: ben-toogood Date: Wed, 25 Mar 2020 10:31:33 +0000 Subject: [PATCH] Fix auth bug restricting access to unauthorised endpoints (#1405) Co-authored-by: Ben Toogood --- util/wrapper/wrapper.go | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/util/wrapper/wrapper.go b/util/wrapper/wrapper.go index 55f3caf3..cab93d5c 100644 --- a/util/wrapper/wrapper.go +++ b/util/wrapper/wrapper.go @@ -184,13 +184,15 @@ func AuthHandler(fn func() auth.Auth, srvName string) server.HandlerWrapper { // Inspect the token and get the account account, err := a.Inspect(token) if err != nil { - return errors.Unauthorized("go.micro.auth", "Unauthorised call made to %v", req.Endpoint()) + account = &auth.Account{} } // Verify the caller has access to the resource - resource := &auth.Resource{Type: "service", Name: srvName, Endpoint: req.Endpoint()} - if err := a.Verify(account, resource); err != nil { - return errors.Forbidden("go.micro.auth", "Forbidden call made to %v %v by %v", srvName, req.Endpoint(), account.ID) + err = a.Verify(account, &auth.Resource{Type: "service", Name: srvName, Endpoint: req.Endpoint()}) + if err != nil && len(account.ID) > 0 { + return errors.Forbidden("go.micro.auth", "Forbidden call made to %v:%v by %v", srvName, req.Endpoint(), account.ID) + } else if err != nil { + return errors.Unauthorized("go.micro.auth", "Unauthorised call made to %v:%v", srvName, req.Endpoint()) } // There is an account, set it in the context