forked from molecule-ai/molecule-core
5b5a634b5b
PR #1210 added org_api_tokens.org_id but c.Set("org_id", ...) was never called — so orgCallerID() always returns "" and all token callers are denied org-scoped access even within their own org. Fix: after orgtoken.Validate succeeds in AdminAuth, look up the token's org_id column and set it in the gin context. Pre-fix tokens (org_id=NULL) get no org_id in context, which is correct — requireCallerOwnsOrg already denies access for nil org_id. Test: TestAdminAuth_OrgToken_SetsOrgID covers both post-fix tokens (org_id set) and pre-fix tokens (org_id=NULL, not set). Co-authored-by: Molecule AI Infra-SRE <infra-sre@agents.moleculesai.app> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| mcp_ratelimit_test.go | ||
| mcp_ratelimit.go | ||
| ratelimit_test.go | ||
| ratelimit.go | ||
| securityheaders_test.go | ||
| securityheaders.go | ||
| session_auth_test.go | ||
| session_auth.go | ||
| tenant_guard_test.go | ||
| tenant_guard.go | ||
| wsauth_middleware_test.go | ||
| wsauth_middleware.go | ||