From 66127aa8338579322bd95bd13dc14a99f24becdd Mon Sep 17 00:00:00 2001
From: Michael Yang <michael.yang@infrahq.com>
Date: Wed, 1 Dec 2021 14:45:27 -0800
Subject: [PATCH] access: fix token permissions (#707)

* access: fix token permissions

* add test
---
 internal/access/access.go      |  1 -
 internal/access/access_test.go | 12 +++++++++++-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/internal/access/access.go b/internal/access/access.go
index 30ca99e949..24100da5fd 100644
--- a/internal/access/access.go
+++ b/internal/access/access.go
@@ -63,7 +63,6 @@ func RequireAuthorization(c *gin.Context, require Permission) (*gorm.DB, string,
 			}
 		}
 
-		return db, authorization, nil
 	case data.APIKeyLength:
 		apiKey, err := data.GetAPIKey(db, &data.APIKey{Key: authorization})
 		if err != nil {
diff --git a/internal/access/access_test.go b/internal/access/access_test.go
index 4cc5875b00..71e636aec2 100644
--- a/internal/access/access_test.go
+++ b/internal/access/access_test.go
@@ -93,6 +93,16 @@ func TestRequireAuthorization(t *testing.T) {
 				require.EqualError(t, err, "token invalid")
 			},
 		},
+		"TokenNoMatch": {
+			"permission": PermissionAPIKeyList,
+			"authFunc": func(t *testing.T, db *gorm.DB, c *gin.Context) {
+				authorization := issueToken(t, db, "existing@infrahq.com", "infra.user.read", time.Minute*1)
+				c.Set("authorization", authorization)
+			},
+			"verifyFunc": func(t *testing.T, err error) {
+				require.EqualError(t, err, "forbidden")
+			},
+		},
 		"TokenInvalidSecret": {
 			"permission": PermissionUserRead,
 			"authFunc": func(t *testing.T, db *gorm.DB, c *gin.Context) {
@@ -187,7 +197,7 @@ func TestRequireAuthorization(t *testing.T) {
 				require.NoError(t, err)
 			},
 		},
-		"APIKeyAuthorizedNoMatch": {
+		"APIKeyNoMatch": {
 			"permission": PermissionUserRead,
 			"authFunc": func(t *testing.T, db *gorm.DB, c *gin.Context) {
 				authorization := issueAPIKey(t, db, "infra.user.create infra.group.read")