From 6d8eba25ba90d1a178867eb66cc3e5e8a8041ab4 Mon Sep 17 00:00:00 2001
From: rkonfj <rkonfj@gmail.com>
Date: Tue, 25 Mar 2025 19:55:30 +0800
Subject: [PATCH] peermap/api: fix privilege escalation during token refresh

---
 langs/ifelse.go       | 8 ++++++++
 peermap/api/api_v1.go | 2 +-
 2 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 langs/ifelse.go

diff --git a/langs/ifelse.go b/langs/ifelse.go
new file mode 100644
index 0000000..f9830ce
--- /dev/null
+++ b/langs/ifelse.go
@@ -0,0 +1,8 @@
+package langs
+
+func IfElse[T any](cond bool, v1, v2 T) T {
+	if cond {
+		return v1
+	}
+	return v2
+}
diff --git a/peermap/api/api_v1.go b/peermap/api/api_v1.go
index c5926e5..b5af970 100644
--- a/peermap/api/api_v1.go
+++ b/peermap/api/api_v1.go
@@ -59,7 +59,7 @@ func (a *ApiV1) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 	if time.Until(time.Unix(secret.Deadline, 0)) <
 		a.Config.SecretValidityPeriod-a.Config.SecretRotationPeriod {
-		if newSecret, err := a.Grant(secret.Network, "PG_ADM"); err == nil {
+		if newSecret, err := a.Grant(secret.Network, langs.IfElse(secret.Admin, "PG_ADM", "")); err == nil {
 			b, _ := json.Marshal(newSecret)
 			w.Header().Add("X-Set-Token", string(b))
 		}