fix: return Unauthenticated instead of PermissionDenied on token expiration (#5454)

da2dd80e · Faizaan pochi · GitHub · 07eac279 · da2dd80e · da2dd80e
Unverified Commit da2dd80e authored Jan 08, 2026 by Faizaan pochi Committed by GitHub Jan 08, 2026
5 changed files
--- a/server/router/api/v1/idp_service.go
+++ b/server/router/api/v1/idp_service.go
@@ -18,7 +18,10 @@ func (s *APIV1Service) CreateIdentityProvider(ctx context.Context, request *v1pb
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
 	}
-	if currentUser == nil || currentUser.Role != store.RoleHost {
+	if currentUser == nil {
+		return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
+	}
+	if currentUser.Role != store.RoleHost {
 		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
 	}
@@ -84,7 +87,10 @@ func (s *APIV1Service) UpdateIdentityProvider(ctx context.Context, request *v1pb
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
 	}
-	if currentUser == nil || currentUser.Role != store.RoleHost {
+	if currentUser == nil {
+		return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
+	}
+	if currentUser.Role != store.RoleHost {
 		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
 	}
@@ -125,7 +131,10 @@ func (s *APIV1Service) DeleteIdentityProvider(ctx context.Context, request *v1pb
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
 	}
-	if currentUser == nil || currentUser.Role != store.RoleHost {
+	if currentUser == nil {
+		return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
+	}
+	if currentUser.Role != store.RoleHost {
 		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
 	}

--- a/server/router/api/v1/instance_service.go
+++ b/server/router/api/v1/instance_service.go
@@ -70,7 +70,10 @@ func (s *APIV1Service) GetInstanceSetting(ctx context.Context, request *v1pb.Get
 		if err != nil {
 			return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
 		}
-		if user == nil || user.Role != store.RoleHost {
+		if user == nil {
+			return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
+		}
+		if user.Role != store.RoleHost {
 			return nil, status.Errorf(codes.PermissionDenied, "permission denied")
 		}
 	}

--- a/server/router/api/v1/memo_service.go
+++ b/server/router/api/v1/memo_service.go
@@ -281,7 +281,7 @@ func (s *APIV1Service) GetMemo(ctx context.Context, request *v1pb.GetMemoRequest
 			return nil, status.Errorf(codes.Internal, "failed to get user")
 		}
 		if user == nil {
-			return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+			return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
 		}
 		if memo.Visibility == store.Private && memo.CreatorID != user.ID {
 			return nil, status.Errorf(codes.PermissionDenied, "permission denied")

--- a/server/router/api/v1/test/idp_service_test.go
+++ b/server/router/api/v1/test/idp_service_test.go
@@ -97,7 +97,7 @@ func TestCreateIdentityProvider(t *testing.T) {
 		_, err := ts.Service.CreateIdentityProvider(ctx, req)
 		require.Error(t, err)
-		require.Contains(t, err.Error(), "permission denied")
+		require.Contains(t, err.Error(), "user not authenticated")
 	})
 }
@@ -547,6 +547,6 @@ func TestIdentityProviderPermissions(t *testing.T) {
 		_, err := ts.Service.CreateIdentityProvider(ctx, req)
 		require.Error(t, err)
-		require.Contains(t, err.Error(), "permission denied")
+		require.Contains(t, err.Error(), "user not authenticated")
 	})
 }
--- a/server/router/api/v1/user_service.go
+++ b/server/router/api/v1/user_service.go
@@ -192,6 +192,9 @@ func (s *APIV1Service) UpdateUser(ctx context.Context, request *v1pb.UpdateUserR
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
 	}
+	if currentUser == nil {
+		return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
+	}
 	// Check permission.
 	// Only allow admin or self to update user.
 	if currentUser.ID != userID && currentUser.Role != store.RoleAdmin && currentUser.Role != store.RoleHost {
@@ -1240,6 +1243,9 @@ func (s *APIV1Service) ListUserNotifications(ctx context.Context, request *v1pb.
 	if err != nil {
 		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
 	}
+	if currentUser == nil {
+		return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
+	}
 	if currentUser.ID != userID {
 		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
 	}
@@ -1287,6 +1293,9 @@ func (s *APIV1Service) UpdateUserNotification(ctx context.Context, request *v1pb
 		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
 	}
+	if currentUser == nil {
+		return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
+	}
 	// Verify ownership before updating
 	inboxes, err := s.Store.ListInboxes(ctx, &store.FindInbox{
 		ID: &notificationID,
@@ -1352,6 +1361,9 @@ func (s *APIV1Service) DeleteUserNotification(ctx context.Context, request *v1pb
 		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
 	}
+	if currentUser == nil {
+		return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
+	}
 	// Verify ownership before deletion
 	inboxes, err := s.Store.ListInboxes(ctx, &store.FindInbox{
 		ID: &notificationID,