From 22cfb820f90007e034effa62285e8758747bc296 Mon Sep 17 00:00:00 2001
From: Andrej Mickov <andrej@ferdzo.xyz>
Date: Mon, 2 Mar 2026 23:54:05 +0100
Subject: [PATCH] skip S3 policy check for admin routes after signature verify

---
 auth/service.go | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/auth/service.go b/auth/service.go
index 9672cd7..6ea1b44 100644
--- a/auth/service.go
+++ b/auth/service.go
@@ -171,18 +171,6 @@ func (s *Service) AuthenticateRequest(r *http.Request) (RequestContext, error) {
 		return RequestContext{}, ErrSignatureDoesNotMatch
 	}
 
-	policy, err := s.store.GetAuthPolicy(identity.AccessKeyID)
-	if err != nil {
-		return RequestContext{}, ErrAccessDenied
-	}
-	target := resolveTarget(r)
-	if target.Action == "" {
-		return RequestContext{}, ErrAccessDenied
-	}
-	if !isAllowed(policy, target) {
-		return RequestContext{}, ErrAccessDenied
-	}
-
 	authType := "sigv4-header"
 	if input.Presigned {
 		authType = "sigv4-presign"
@@ -198,6 +186,18 @@ func (s *Service) AuthenticateRequest(r *http.Request) (RequestContext, error) {
 		}, nil
 	}
 
+	policy, err := s.store.GetAuthPolicy(identity.AccessKeyID)
+	if err != nil {
+		return RequestContext{}, ErrAccessDenied
+	}
+	target := resolveTarget(r)
+	if target.Action == "" {
+		return RequestContext{}, ErrAccessDenied
+	}
+	if !isAllowed(policy, target) {
+		return RequestContext{}, ErrAccessDenied
+	}
+
 	return RequestContext{
 		Authenticated: true,
 		AccessKeyID:   identity.AccessKeyID,