skip S3 policy check for admin routes after signature verify

2026-04-04 20:36:25 +00:00 · 2026-03-02 23:54:05 +01:00
parent 93a3aabf7d
commit 22cfb820f9
1 changed files with 12 additions and 12 deletions
--- a/auth/service.go
+++ b/auth/service.go
@@ -171,18 +171,6 @@ func (s *Service) AuthenticateRequest(r *http.Request) (RequestContext, error) {
 		return RequestContext{}, ErrSignatureDoesNotMatch
 	}

-	policy, err := s.store.GetAuthPolicy(identity.AccessKeyID)
-	if err != nil {
-		return RequestContext{}, ErrAccessDenied
-	}
-	target := resolveTarget(r)
-	if target.Action == "" {
-		return RequestContext{}, ErrAccessDenied
-	}
-	if !isAllowed(policy, target) {
-		return RequestContext{}, ErrAccessDenied
-	}
-
 	authType := "sigv4-header"
 	if input.Presigned {
 		authType = "sigv4-presign"
@@ -198,6 +186,18 @@ func (s *Service) AuthenticateRequest(r *http.Request) (RequestContext, error) {
 		}, nil
 	}

+	policy, err := s.store.GetAuthPolicy(identity.AccessKeyID)
+	if err != nil {
+		return RequestContext{}, ErrAccessDenied
+	}
+	target := resolveTarget(r)
+	if target.Action == "" {
+		return RequestContext{}, ErrAccessDenied
+	}
+	if !isAllowed(policy, target) {
+		return RequestContext{}, ErrAccessDenied
+	}
+
 	return RequestContext{
 		Authenticated: true,
 		AccessKeyID:   identity.AccessKeyID,