Merge remote-tracking branch 'origin/master'

2026-02-16 16:45:04 +03:00
parent 54182e97c5
commit daedff2880
6 changed files with 310 additions and 113 deletions
--- a/svc/middlewares/authz_v2.go
+++ b/svc/middlewares/authz_v2.go
@@ -859,7 +859,12 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 			// =====================================================
 			claims, ok := auth.GetClaimsFromContext(r.Context())
 			if !ok || claims == nil {
-				http.Error(w, "unauthorized", http.StatusUnauthorized)
+				log.Printf(
+					"AUTHZ_BY_ROUTE 401 reason=claims_missing method=%s path=%s",
+					r.Method,
+					r.URL.Path,
+				)
+				http.Error(w, "unauthorized: token missing or invalid", http.StatusUnauthorized)
 				return
 			}

@@ -873,7 +878,7 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 					r.Method, r.URL.Path,
 				)

-				http.Error(w, "route not resolved", 403)
+				http.Error(w, "route not resolved", http.StatusForbidden)
 				return
 			}

@@ -881,7 +886,14 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 			if err != nil {
 				log.Printf("❌ AUTHZ: path template error: %v", err)

-				http.Error(w, "route template error", 403)
+				http.Error(w, "route template error", http.StatusForbidden)
+				return
+			}
+
+			// Password change must be reachable for every authenticated user.
+			// This avoids permission deadlocks during forced first-password flow.
+			if pathTemplate == "/api/password/change" {
+				next.ServeHTTP(w, r)
 				return
 			}

@@ -908,7 +920,12 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 					pathTemplate,
 				)

-				http.Error(w, "route permission not found", 403)
+				if pathTemplate == "/api/password/change" {
+					http.Error(w, "password change route permission not found", http.StatusForbidden)
+					return
+				}
+
+				http.Error(w, "route permission not found", http.StatusForbidden)
 				return
 			}

@@ -935,7 +952,12 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 					err,
 				)

-				http.Error(w, "forbidden", 403)
+				if pathTemplate == "/api/password/change" {
+					http.Error(w, "password change permission check failed", http.StatusForbidden)
+					return
+				}
+
+				http.Error(w, "forbidden", http.StatusForbidden)
 				return
 			}

@@ -948,7 +970,12 @@ func AuthzGuardByRoute(pg *sql.DB) func(http.Handler) http.Handler {
 					action,
 				)

-				http.Error(w, "forbidden", 403)
+				if pathTemplate == "/api/password/change" {
+					http.Error(w, "password change forbidden: permission denied", http.StatusForbidden)
+					return
+				}
+
+				http.Error(w, "forbidden", http.StatusForbidden)
 				return
 			}