| 185 | } |
| 186 | |
| 187 | func (a *API) requireAdminCredentials(w http.ResponseWriter, req *http.Request) (context.Context, error) { |
| 188 | t, err := a.extractBearerToken(req) |
| 189 | if err != nil || t == "" { |
| 190 | return nil, err |
| 191 | } |
| 192 | |
| 193 | ctx, err := a.parseJWTClaims(t, req) |
| 194 | if err != nil { |
| 195 | return nil, err |
| 196 | } |
| 197 | |
| 198 | // If the token references a real user session, confirm the session |
| 199 | // still exists and is valid in the DB — a JWT remains usable past |
| 200 | // logout or revocation otherwise. Sessionless admin tokens (e.g. |
| 201 | // service_role) skip this check. |
| 202 | claims := getClaims(ctx) |
| 203 | if claims != nil && claims.SessionId != "" && claims.SessionId != uuid.Nil.String() { |
| 204 | ctx, err = a.maybeLoadUserOrSession(ctx) |
| 205 | if err != nil { |
| 206 | return nil, err |
| 207 | } |
| 208 | |
| 209 | session := getSession(ctx) |
| 210 | user := getUser(ctx) |
| 211 | if session != nil && user != nil { |
| 212 | validity := session.CheckValidity(models.SessionValidityConfig{ |
| 213 | Timebox: a.config.Sessions.Timebox, |
| 214 | InactivityTimeout: a.config.Sessions.InactivityTimeout, |
| 215 | AllowLowAAL: a.config.Sessions.AllowLowAAL, |
| 216 | }, time.Now(), nil, user.HighestPossibleAAL()) |
| 217 | if validity != models.SessionValid { |
| 218 | return nil, apierrors.NewForbiddenError(apierrors.ErrorCodeSessionExpired, "Session is no longer valid") |
| 219 | } |
| 220 | } |
| 221 | } |
| 222 | |
| 223 | return a.requireAdmin(ctx) |
| 224 | } |
| 225 | |
| 226 | func (a *API) requireEmailProvider(w http.ResponseWriter, req *http.Request) (context.Context, error) { |
| 227 | ctx := req.Context() |