From 98d5a50eb6f0183bcce937fa2d18019e2c6006bd Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Sun, 7 May 2023 20:33:03 +0200
Subject: mod_tokenauth: Return error instead of session for token without role

Such a session triggers errors in module:may or other places since it is
generally expected that a session must have a role.
---
 plugins/mod_tokenauth.lua | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'plugins/mod_tokenauth.lua')

diff --git a/plugins/mod_tokenauth.lua b/plugins/mod_tokenauth.lua
index ccd06155..4f0e6c54 100644
--- a/plugins/mod_tokenauth.lua
+++ b/plugins/mod_tokenauth.lua
@@ -252,12 +252,14 @@ function get_token_session(token, resource)
 	local token_info, err = _get_validated_token_info(token_id, token_user, token_host, token_secret);
 	if not token_info then return nil, err; end
 
+	local role = select_role(token_user, token_host, token_info.role);
+	if not role then return nil, "not-authorized"; end
 	return {
 		username = token_user;
 		host = token_host;
 		resource = token_info.resource or resource or generate_identifier();
 
-		role = select_role(token_user, token_host, token_info.role);
+		role = role;
 	};
 end
 
-- 
cgit v1.2.3