mc/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Include account_type in token validation response

Browse Source 
The /v1/token/validate endpoint now returns account_type ("human" or
"system") alongside username and roles. The account lookup was already
happening — this just surfaces the type in the response.

Required by downstream services (MCR, Metacrypt) whose policy engines
match on account type.

Security: no new data exposure — account_type is non-sensitive metadata
already available to any authenticated admin via GET /v1/accounts/{id}.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Kyle Isom
2026-03-25 17:45:04 -07:00
parent db7cd73a6e
commit 35e96444aa
2 changed files with 7 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
internal/server/server.go
View File

@@ -704,11 +704,12 @@ type validateRequest struct {
}
type validateResponse struct {
Subject string `json:"sub,omitempty"`
Username string `json:"username,omitempty"`
ExpiresAt string `json:"expires_at,omitempty"`
Roles []string `json:"roles,omitempty"`
Valid bool `json:"valid"`
Subject string `json:"sub,omitempty"`
Username string `json:"username,omitempty"`
AccountType string `json:"account_type,omitempty"`
ExpiresAt string `json:"expires_at,omitempty"`
Roles []string `json:"roles,omitempty"`
Valid bool `json:"valid"`
}
func (s *Server) handleTokenValidate(w http.ResponseWriter, r *http.Request) {
@@ -753,6 +754,7 @@ func (s *Server) handleTokenValidate(w http.ResponseWriter, r *http.Request) {
}
if acct, err := s.db.GetAccountByUUID(claims.Subject); err == nil {
resp.Username = acct.Username
resp.AccountType = string(acct.AccountType)
}
writeJSON(w, http.StatusOK, resp)
}