mirror of
https://github.com/go-vikunja/vikunja.git
synced 2026-05-10 15:15:41 -05:00
3d75ca049b
The JWT skipper bypassed validation entirely for /token/test when the bearer was an API token, leaving "user" unset in the context. CheckToken then type-asserted it to *jwt.Token and panicked. Validate the API token in the skipper but skip the route permission check (since /token/test is not exposed in the API token route registry, no token can hold explicit permission for it). Drop the now-redundant JWT assertion in CheckToken — auth has already passed by the time the handler runs.