This commit is contained in:
2026-06-20 19:16:44 +08:00
parent db3d030169
commit dbb87823e8
26 changed files with 676 additions and 115 deletions
+17 -8
View File
@@ -144,14 +144,14 @@ func postToken(deps AdminHandlerDeps) http.HandlerFunc {
}
type tokenRow struct {
ID string `json:"id"`
Name string `json:"name"`
Issuer string `json:"issuer"`
Scope Scope `json:"scope"`
ExpiresAt *string `json:"expires_at,omitempty"`
RevokedAt *string `json:"revoked_at,omitempty"`
ID string `json:"id"`
Name string `json:"name"`
Issuer string `json:"issuer"`
Scope Scope `json:"scope"`
ExpiresAt *string `json:"expires_at,omitempty"`
RevokedAt *string `json:"revoked_at,omitempty"`
LastUsedAt *string `json:"last_used_at,omitempty"`
CreatedAt string `json:"created_at"`
CreatedAt string `json:"created_at"`
}
func listTokens(deps AdminHandlerDeps) http.HandlerFunc {
@@ -200,7 +200,7 @@ func listTokens(deps AdminHandlerDeps) http.HandlerFunc {
func deleteToken(deps AdminHandlerDeps) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
rid := middleware.RequestIDFromContext(r.Context())
caller, _, err := resolveSessionUser(r.Context(), deps.Users, r)
caller, isAdmin, err := resolveSessionUser(r.Context(), deps.Users, r)
if err != nil {
httpx.WriteError(w, rid, err)
return
@@ -211,6 +211,15 @@ func deleteToken(deps AdminHandlerDeps) http.HandlerFunc {
httpx.WriteError(w, rid, errs.Wrap(err, errs.CodeInvalidInput, "id parse"))
return
}
// 授权:仅 admin 或 token 持有者可撤销。非 admin 时按 id 反查 token
// 校验归属;不归属(或不存在)一律返 NotFound,避免暴露 token 是否存在。
if !isAdmin {
tok, err := deps.Tokens.GetByID(r.Context(), id)
if err != nil || tok.UserID != caller {
httpx.WriteError(w, rid, errs.New(errs.CodeMcpTokenNotFound, "mcp token not found"))
return
}
}
if err := deps.Tokens.Revoke(r.Context(), id, caller); err != nil {
httpx.WriteError(w, rid, err)
return