fix(controlplane): skip allow-list for API tokens (#1071)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

app/controlplane/internal/usercontext/allowlist_middleware.go

@@ -35,6 +35,11 @@ func CheckUserInAllowList(allowList *conf.Auth_AllowList) middleware.Middleware
 				return handler(ctx, req)
 			}
 
+			// API tokens skip the allowlist since they are meant to represent a service
+			if token := CurrentAPIToken(ctx); token != nil {
+				return handler(ctx, req)
+			}
+
 			// Make sure that this middleware is ran after WithCurrentUser
 			user := CurrentUser(ctx)
 			if user == nil {

app/controlplane/internal/usercontext/allowlist_middleware_test.go

@@ -72,6 +72,7 @@ func TestCheckUserInAllowList(t *testing.T) {
 		selectedRoutes []string
 		runningRoute   string
 		email          string
+		isAPIToken     bool
 		wantErr        bool
 		customErrMsg   string
 	}{
@@ -85,6 +86,12 @@ func TestCheckUserInAllowList(t *testing.T) {
 			rules:   []string{"[email protected]"},
 			wantErr: true,
 		},
+		{
+			name:       "is an API token so allow-list gets skipped",
+			isAPIToken: true,
+			rules:      []string{"[email protected]"},
+			wantErr:    false,
+		},
 		{
 			name:           "user not allowed to access the route",
 			email:          "[email protected]",
@@ -159,7 +166,10 @@ func TestCheckUserInAllowList(t *testing.T) {
 			ctx := context.Background()
 			if tc.email != "" {
 				ctx = WithCurrentUser(ctx, &User{Email: tc.email, ID: "124"})
+			} else if tc.isAPIToken {
+				ctx = WithCurrentAPIToken(ctx, &APIToken{ID: "124"})
 			}
+
 			if tc.runningRoute != "" {
 				ctx = transport.NewServerContext(ctx, &mockTransport{operation: tc.runningRoute})
 			}