fix: one-time-access-token route should get user ID from URL only (#1358)

2026-03-22 20:50:07 +00:00 · 2026-03-03 18:53:36 -08:00
parent e0fc4cc01b
commit 27ca713cd4
5 changed files with 60 additions and 10 deletions
--- a/backend/internal/controller/user_controller.go
+++ b/backend/internal/controller/user_controller.go
@@ -4,6 +4,7 @@ import (
 	"net/http"
 	"time"

+	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/cookie"

 	"github.com/gin-gonic/gin"
@@ -322,22 +323,34 @@ func (uc *UserController) updateCurrentUserProfilePictureHandler(c *gin.Context)

 func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context, own bool) {
 	var input dto.OneTimeAccessTokenCreateDto
-	if err := c.ShouldBindJSON(&input); err != nil {
+	err := c.ShouldBindJSON(&input)
+	if err != nil {
 		_ = c.Error(err)
 		return
 	}

-	var ttl time.Duration
+	var (
+		userID string
+		ttl    time.Duration
+	)
 	if own {
-		input.UserID = c.GetString("userID")
+		// Get user ID from context and force the default TTL
+		userID = c.GetString("userID")
 		ttl = defaultOneTimeAccessTokenDuration
 	} else {
+		// Get user ID from URL parameter, and optional TTL from body
+		userID = c.Param("id")
 		ttl = input.TTL.Duration
 		if ttl <= 0 {
 			ttl = defaultOneTimeAccessTokenDuration
 		}
 	}
-	token, err := uc.oneTimeAccessService.CreateOneTimeAccessToken(c.Request.Context(), input.UserID, ttl)
+	if userID == "" {
+		_ = c.Error(&common.UserIdNotProvidedError{})
+		return
+	}
+
+	token, err := uc.oneTimeAccessService.CreateOneTimeAccessToken(c.Request.Context(), userID, ttl)
 	if err != nil {
 		_ = c.Error(err)
 		return