peermap/api: fix privilege escalation during token refresh

langs/ifelse.go

@@ -0,0 +1,8 @@
+package langs
+
+func IfElse[T any](cond bool, v1, v2 T) T {
+	if cond {
+		return v1
+	}
+	return v2
+}

peermap/api/api_v1.go

@@ -59,7 +59,7 @@ func (a *ApiV1) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 	if time.Until(time.Unix(secret.Deadline, 0)) <
 		a.Config.SecretValidityPeriod-a.Config.SecretRotationPeriod {
-		if newSecret, err := a.Grant(secret.Network, "PG_ADM"); err == nil {
+		if newSecret, err := a.Grant(secret.Network, langs.IfElse(secret.Admin, "PG_ADM", "")); err == nil {
 			b, _ := json.Marshal(newSecret)
 			w.Header().Add("X-Set-Token", string(b))
 		}