NM-258: fix node verification

2026-04-22 16:07:11 +08:00 · 2026-03-03 16:42:34 +04:00
parent 56756bdfb5
commit 0c4d431df2
1 changed files with 14 additions and 8 deletions
@@ -155,26 +155,32 @@ func AuthorizeHost(
 			authToken = tokenSplit[1]
 		}

-		id, _, _, err := logic.VerifyHostToken(authToken)
+		hostID, _, _, err := logic.VerifyHostToken(authToken)
 		if err != nil {
 			logic.ReturnErrorResponse(w, r, logic.FormatError(logic.Unauthorized_Err, logic.Unauthorized_Msg))
 			return
 		}

 		// master key bypasses ownership checks
-		if id != logic.MasterUser {
+		if hostID != logic.MasterUser {
 			params := mux.Vars(r)
-			if paramHostID := params["hostid"]; paramHostID != "" && id != paramHostID {
+			if paramHostID := params["hostid"]; paramHostID != "" && hostID != paramHostID {
 				logic.ReturnErrorResponse(w, r, forbiddenResponse)
 				return
 			}
-			if paramNodeID := params["nodeid"]; paramNodeID != "" && id != paramNodeID {
-				logic.ReturnErrorResponse(w, r, forbiddenResponse)
-				return
+			if nodeID := params["nodeid"]; nodeID != "" {
+				node, err := logic.GetNodeByID(nodeID)
+				if err != nil {
+					logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
+					return
+				}
+				if node.HostID.String() != hostID {
+					logic.ReturnErrorResponse(w, r, forbiddenResponse)
+					return
+				}
 			}
 		}
-
-		r.Header.Set(hostIDHeader, id)
+		r.Header.Set(hostIDHeader, hostID)
 		next.ServeHTTP(w, r)
 	}
 }