mod_tokenauth: Return error instead of session for token without role
Such a session triggers errors in module:may or other places since it is
generally expected that a session must have a role.
--- a/plugins/mod_tokenauth.lua Sun May 07 13:13:42 2023 +0200
+++ b/plugins/mod_tokenauth.lua Sun May 07 20:33:03 2023 +0200
@@ -252,12 +252,14 @@
local token_info, err = _get_validated_token_info(token_id, token_user, token_host, token_secret);
if not token_info then return nil, err; end
+ local role = select_role(token_user, token_host, token_info.role);
+ if not role then return nil, "not-authorized"; end
return {
username = token_user;
host = token_host;
resource = token_info.resource or resource or generate_identifier();
- role = select_role(token_user, token_host, token_info.role);
+ role = role;
};
end