From 2c1f5e46d5928a21458749251c4ee5eb96575239 Mon Sep 17 00:00:00 2001
From: Bethuel Mmbaga <bethuelmbaga12@gmail.com>
Date: Mon, 7 Oct 2024 19:06:26 +0300
Subject: [PATCH] [management] Validate peer ownership during login (#2704)

* check peer ownership in login

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>

* update error message

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>

---------

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
---
 management/server/peer.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/management/server/peer.go b/management/server/peer.go
index da9586734..a7d4f3b06 100644
--- a/management/server/peer.go
+++ b/management/server/peer.go
@@ -693,6 +693,11 @@ func (am *DefaultAccountManager) LoginPeer(ctx context.Context, login PeerLogin)
 	updateRemotePeers := false
 
 	if login.UserID != "" {
+		if peer.UserID != login.UserID {
+			log.Warnf("user mismatch when logging in peer %s: peer user %s, login user %s ", peer.ID, peer.UserID, login.UserID)
+			return nil, nil, nil, status.Errorf(status.Unauthenticated, "invalid user")
+		}
+
 		changed, err := am.handleUserPeer(ctx, peer, settings)
 		if err != nil {
 			return nil, nil, nil, err