fix(api): prevent API auth from inheriting impersonation (#2405)

Build fresh API session contexts instead of reusing persisted web sessions that may carry impersonation state.

Reject deactivated report export API key owners and strengthen regression coverage for API key, OAuth, and report export authentication paths.
This commit is contained in:
Orange🍊
2026-06-19 23:14:43 +08:00
committed by GitHub
parent 318c7476e1
commit 6e5f35b306
4 changed files with 153 additions and 22 deletions

View File

@@ -310,23 +310,15 @@ class Api::V1::BaseController < ApplicationController
# Set up Current context for API requests since we don't use session-based auth
def setup_current_context_for_api
# For API requests, we need to create a minimal session-like object
# or find/create an actual session for this user to make Current.user work
if @current_user
# Try to find an existing session for this user, or create a temporary one
session = @current_user.sessions.first
if session
Current.session = session
else
# Create a temporary session for this API request
# This won't be persisted but will allow Current.user to work
session = @current_user.sessions.build(
user_agent: request.user_agent,
ip_address: request.ip
)
Current.session = session
end
end
return unless @current_user
# Build a fresh unsaved session so API requests never reuse an existing
# web session that may already carry impersonation state.
Current.session = @current_user.sessions.build(
user_agent: request.user_agent,
ip_address: request.ip
)
Current.session.active_impersonator_session = nil
end
# Check if AI features are enabled for the current user