hub: return error if accessing /api/beszel/universal-token with a superuser account (#1870)

2026-04-06 13:01:49 +02:00 · 2026-04-01 22:16:47 -04:00
parent ba10da1b9f
commit 0fff699bf6
3 changed files with 33 additions and 0 deletions
--- a/internal/hub/api_test.go
+++ b/internal/hub/api_test.go
@@ -45,6 +45,12 @@ func TestApiRoutesAuthentication(t *testing.T) {
 	readOnlyUser, err := beszelTests.CreateUserWithRole(hub, "readonly@example.com", "password123", "readonly")
 	require.NoError(t, err, "Failed to create readonly user")
 	readOnlyUserToken, err := readOnlyUser.NewAuthToken()
+	require.NoError(t, err, "Failed to create readonly user auth token")
+
+	superuser, err := beszelTests.CreateSuperuser(hub, "superuser@example.com", "password123")
+	require.NoError(t, err, "Failed to create superuser")
+	superuserToken, err := superuser.NewAuthToken()
+	require.NoError(t, err, "Failed to create superuser auth token")

 	// Create test system
 	system, err := beszelTests.CreateRecord(hub, "systems", map[string]any{
@@ -197,6 +203,19 @@ func TestApiRoutesAuthentication(t *testing.T) {
 			ExpectedContent: []string{"\"permanent\":true", "permanent-token-123"},
 			TestAppFactory:  testAppFactory,
 		},
+		{
+			Name:   "GET /universal-token - superuser should fail",
+			Method: http.MethodGet,
+			URL:    "/api/beszel/universal-token",
+			Headers: map[string]string{
+				"Authorization": superuserToken,
+			},
+			ExpectedStatus:  403,
+			ExpectedContent: []string{"Superusers cannot use universal tokens"},
+			TestAppFactory: func(t testing.TB) *pbTests.TestApp {
+				return hub.TestApp
+			},
+		},
 		{
 			Name:   "GET /universal-token - with readonly auth should fail",
 			Method: http.MethodGet,