mirror of
https://github.com/we-promise/sure.git
synced 2026-07-16 14:55:23 +00:00
fix(api): prevent API auth from inheriting impersonation (#2405)
Build fresh API session contexts instead of reusing persisted web sessions that may carry impersonation state. Reject deactivated report export API key owners and strengthen regression coverage for API key, OAuth, and report export authentication paths.
This commit is contained in:
@@ -310,23 +310,15 @@ class Api::V1::BaseController < ApplicationController
|
||||
|
||||
# Set up Current context for API requests since we don't use session-based auth
|
||||
def setup_current_context_for_api
|
||||
# For API requests, we need to create a minimal session-like object
|
||||
# or find/create an actual session for this user to make Current.user work
|
||||
if @current_user
|
||||
# Try to find an existing session for this user, or create a temporary one
|
||||
session = @current_user.sessions.first
|
||||
if session
|
||||
Current.session = session
|
||||
else
|
||||
# Create a temporary session for this API request
|
||||
# This won't be persisted but will allow Current.user to work
|
||||
session = @current_user.sessions.build(
|
||||
user_agent: request.user_agent,
|
||||
ip_address: request.ip
|
||||
)
|
||||
Current.session = session
|
||||
end
|
||||
end
|
||||
return unless @current_user
|
||||
|
||||
# Build a fresh unsaved session so API requests never reuse an existing
|
||||
# web session that may already carry impersonation state.
|
||||
Current.session = @current_user.sessions.build(
|
||||
user_agent: request.user_agent,
|
||||
ip_address: request.ip
|
||||
)
|
||||
Current.session.active_impersonator_session = nil
|
||||
end
|
||||
|
||||
# Check if AI features are enabled for the current user
|
||||
|
||||
Reference in New Issue
Block a user