fix: add additional check to admin token

vtex-apps · Apr 19, 2024 · e861b25 · e861b25
1 parent 32c20f8
commit e861b25
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/node/directives/checkUserAccess.ts b/node/directives/checkUserAccess.ts
@@ -24,7 +24,17 @@ export async function checkUserOrAdminTokenAccess(
 
   if (adminUserAuthToken) {
     try {
-      await identity.validateToken({ token: adminUserAuthToken })
+      const authUser = await identity.validateToken({
+        token: adminUserAuthToken,
+      })
+
+      if (!authUser?.audience || authUser?.audience !== 'admin') {
+        logger.warn({
+          message: `CheckUserAccess: No valid user found by admin token`,
+          operation,
+        })
+        throw new ForbiddenError('Unauthorized Access')
+      }
     } catch (err) {
       logger.warn({
         error: err,