Harden forward-auth, per-user isolation, and budget accuracy
Code-review fixes on the Authentik/budget/Resend work: - UpsertForwardUser: avoid 500 lockout on username UNIQUE collision and on the concurrent first-login race; normalize emails (lower+trim) so case variants don't create duplicate accounts. - Centralize email management in Authentik: when forward-auth mode is on, email is read-only in Veola for every user (not just forward rows); pure-local deployments keep editable email for Resend. - Fail closed on per-user isolation: ownedItem rejects uid==0/orphaned items; dashboard and global results error on a userless request. - Budget accuracy: count Apify usage only after a successful run, and count the billed Test Apify run. - Efficiency: resolve the deal-email recipient once per poll; build the settings page once in PostEmailPrefs.
This commit is contained in:
@@ -106,6 +106,12 @@ func (a *App) GetGlobalResults(w http.ResponseWriter, r *http.Request) {
|
||||
to := strings.TrimSpace(q.Get("to"))
|
||||
|
||||
uid := a.userID(r)
|
||||
// Fail closed: ListResults/NextEndingResult treat OwnerID 0 as "all owners",
|
||||
// so a userless request must not fall through to a cross-tenant view.
|
||||
if uid == 0 {
|
||||
http.Error(w, "unauthorized", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
items, err := a.Store.ListItemsForUser(r.Context(), uid)
|
||||
if err != nil {
|
||||
a.serverError(w, r, err)
|
||||
|
||||
Reference in New Issue
Block a user