🐛 Mark rpc calls as authenticated when shared key is used (#7901)

2025-12-22 12:18:36 +01:00 · 2025-12-22 12:18:36 +01:00 · 88dcf9d1fe
parent 2acf15958b
commit 88dcf9d1fe
2 changed files with 7 additions and 2 deletions
--- a/backend/src/app/http/middleware.clj
+++ b/backend/src/app/http/middleware.clj
@ -309,7 +309,7 @@
      (fn [request]
        (let [key (yreq/get-header request "x-shared-key")]
          (if (= key shared-key)
-            (handler request)
+            (handler (assoc request ::http/auth-with-shared-key true))
            {::yres/status 403}))))
    (fn [_ _]
      {::yres/status 403})))
--- a/backend/src/app/rpc.clj
+++ b/backend/src/app/rpc.clj
@ -14,6 +14,7 @@
   [app.common.spec :as us]
   [app.common.time :as ct]
   [app.common.uri :as u]
+   [app.common.uuid :as uuid]
   [app.config :as cf]
   [app.db :as db]
   [app.http :as-alias http]
@ -92,7 +93,11 @@
      (let [handler-name (:type path-params)
            etag         (yreq/get-header request "if-none-match")
            profile-id   (or (::session/profile-id request)
-                             (::actoken/profile-id request))
+                             (::actoken/profile-id request)
+                             (if (::http/auth-with-shared-key request)
+                               uuid/zero
+                               nil))
+
            ip-addr      (inet/parse-request request)

            data         (-> params