Enforce group access on Bearer API key forward-auth at use-time

The ApiKey model only validates group access on creation (user_must_have_access runs on create). The bearer path in /api/verify never re-checked, so a user removed from an application's allowed groups kept access via an existing key until it was manually revoked. Add an app.user_allowed?(user) check to authenticate_bearer_token, matching the session path, returning 401 when the user no longer has group access. Adds a regression test that revokes membership after key creation. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-11 07:54:48 +10:00
parent 703d24e4e4
commit 8a095e4939
2 changed files with 44 additions and 0 deletions
--- a/app/controllers/api/forward_auth_controller.rb
+++ b/app/controllers/api/forward_auth_controller.rb
@@ -138,6 +138,14 @@ module Api
        return render_bearer_error("Application is inactive")
      end

+      # Re-check group membership at use-time. The ApiKey model only validates
+      # access on creation, so a user removed from the app's allowed groups
+      # afterwards must not keep access via an existing key.
+      unless app.user_allowed?(user)
+        Rails.logger.info "ForwardAuth: API key '#{api_key.name}' denied - user #{user.email_address} lacks group access to #{app.domain_pattern}"
+        return render_bearer_error("Access denied: insufficient group membership")
+      end
+
      api_key.touch_last_used!

      headers = app.headers_for_user(user)