From 12796ef63932baaecc5a25ce81440548eff9cb8b Mon Sep 17 00:00:00 2001 From: Joe Julian Date: Sat, 11 Apr 2026 16:51:24 -0700 Subject: [PATCH] Allow scoped tokens to read session status --- internal/api/server.go | 2 +- internal/api/server_test.go | 11 +++++++---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/internal/api/server.go b/internal/api/server.go index a62e761..1973917 100644 --- a/internal/api/server.go +++ b/internal/api/server.go @@ -109,7 +109,7 @@ func (s *Server) SetSessionState(model vault.Model, locked, dirty bool) { } func (s *Server) GetSessionStatus(ctx context.Context, _ *keepassgov1.GetSessionStatusRequest) (*keepassgov1.GetSessionStatusResponse, error) { - if _, err := s.authorizeVaultRequest(ctx, apitokens.OperationManageVault); err != nil { + if _, err := s.authenticateRequest(ctx); err != nil { return nil, err } s.mu.RLock() diff --git a/internal/api/server_test.go b/internal/api/server_test.go index d4f52c0..9f39597 100644 --- a/internal/api/server_test.go +++ b/internal/api/server_test.go @@ -100,7 +100,7 @@ func TestVaultServiceRejectsUnauthorizedEntryAccess(t *testing.T) { } } -func TestVaultServiceRejectsUnauthorizedVaultManagement(t *testing.T) { +func TestVaultServiceAllowsSessionStatusWithoutManageVault(t *testing.T) { t.Parallel() client, _, cleanup := newTestClientForModel(t, vault.Model{ @@ -112,9 +112,12 @@ func TestVaultServiceRejectsUnauthorizedVaultManagement(t *testing.T) { }) defer cleanup() - _, err := client.GetSessionStatus(tokenContext(defaultTestTokenSecret), &keepassgov1.GetSessionStatusRequest{}) - if status.Code(err) != codes.PermissionDenied { - t.Fatalf("GetSessionStatus() code = %v, want %v", status.Code(err), codes.PermissionDenied) + resp, err := client.GetSessionStatus(tokenContext(defaultTestTokenSecret), &keepassgov1.GetSessionStatusRequest{}) + if err != nil { + t.Fatalf("GetSessionStatus() error = %v", err) + } + if resp.GetLocked() { + t.Fatal("GetSessionStatus().Locked = true, want false") } }