From de457788ba87e9021f663216fe8aea591f0b778e Mon Sep 17 00:00:00 2001
From: Pascal Fischer <pascal@netbird.io>
Date: Wed, 2 Apr 2025 16:03:33 +0200
Subject: [PATCH] return error when trying to use accountID path variable with
 PAT

---
 management/server/http/middleware/auth_middleware.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/management/server/http/middleware/auth_middleware.go b/management/server/http/middleware/auth_middleware.go
index a8e6790a9..8b944367c 100644
--- a/management/server/http/middleware/auth_middleware.go
+++ b/management/server/http/middleware/auth_middleware.go
@@ -142,6 +142,12 @@ func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, auth []string) (*h
 		return r, fmt.Errorf("token expired")
 	}
 
+	if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 {
+		if user.AccountID != impersonate[0] {
+			return r, fmt.Errorf("token is not valid for this account")
+		}
+	}
+
 	err = m.authManager.MarkPATUsed(ctx, pat.ID)
 	if err != nil {
 		return r, err