From 96884a83a04696aad8e49a60bbbf03b8e02b0fcb Mon Sep 17 00:00:00 2001
From: feiniks <36756310+feiniks@users.noreply.github.com>
Date: Thu, 2 Dec 2021 18:30:22 +0800
Subject: [PATCH] Validate token return 403 for go (#523)

---
 fileserver/sync_api.go | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/fileserver/sync_api.go b/fileserver/sync_api.go
index 25a9a01..a13ac69 100644
--- a/fileserver/sync_api.go
+++ b/fileserver/sync_api.go
@@ -1034,7 +1034,11 @@ func validateToken(r *http.Request, repoID string, skipCache bool) (string, *app
 	}
 
 	if value, ok := tokenCache.Load(token); ok {
-		if info, ok := value.(*tokenInfo); ok && info.repoID == repoID {
+		if info, ok := value.(*tokenInfo); ok {
+			if info.repoID != repoID {
+				msg := "Invalid token"
+				return "", &appError{nil, msg, http.StatusForbidden}
+			}
 			return info.email, nil
 		}
 	}