creating auth-app token with user-id creates token for the wrong user

[nirajacharya2]

Describe the bug

creating auth-app token with user-id creates token for user that made the request rather that for the user with the given userId. if the user-id is wrong a token is created for user who made the request.

Steps to reproduce

1. create an auth-app token for einstein using user-id

curl -kv -XPOST 'https://localhost:9200/auth-app/tokens?expiry=72h&userId=4c510ada-c86b-4815-8820-42cdf82c3d51' -uadmin:admin|jq

Expected behavior

when einstein lists his token there should be a token.

Actual behavior

the token is not created for einstein but admin has a new token. if we put any random string in the userId the request will return 200 and token will be created for admin probably because he made the request.

Setup

Please describe how you started the server and provide a list of relevant environment variables or configuration files.

OCIS_ADD_RUN_SERVICES=auth-app
AUTH_APP_ENABLE_IMPERSONATION=true

ownCloud Web UI 11.1.3
 Infinite Scale 7.1.0-rc.4+16e920f41c Community

Additional context

Add any other context about the problem here.

[saw-jan]

hmm, if admin is impersonating user einstein, shouldn't admin get the token while listing? 🤔
CC @kobergj @2403905

[kobergj]

The parameter for the endpoint is userID (or userName) it is case sensitive I think so userId will not be checked.

The expected behaviour is that the token is created for einstein. That means only einstein can list it, admin cannot.

[saw-jan]

The expected behaviour is that the token is created for einstein. That means only einstein can list it, admin cannot.

that means this bug report is valid if it actually is the case.

[kobergj]

that means this bug report is valid if it actually is the case.

exactly. But parameters should be double checked.