[management] Validate peer ownership during login (#2704)

* check peer ownership in login Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> * update error message Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com> --------- Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
2024-11-21 23:53:14 +01:00 · 2024-10-07 19:06:26 +03:00 · 2024-10-07 19:06:26 +03:00 · 2c1f5e46d5
commit 2c1f5e46d5
parent dbec24b520
1 changed files with 5 additions and 0 deletions
--- a/management/server/peer.go
+++ b/management/server/peer.go
@ -693,6 +693,11 @@ func (am *DefaultAccountManager) LoginPeer(ctx context.Context, login PeerLogin)
 	updateRemotePeers := false

 	if login.UserID != "" {
+		if peer.UserID != login.UserID {
+			log.Warnf("user mismatch when logging in peer %s: peer user %s, login user %s ", peer.ID, peer.UserID, login.UserID)
+			return nil, nil, nil, status.Errorf(status.Unauthenticated, "invalid user")
+		}
+
 		changed, err := am.handleUserPeer(ctx, peer, settings)
 		if err != nil {
 			return nil, nil, nil, err