From 8c78286e5fdc5f5d94396f52f2f4b60a8a919c6f Mon Sep 17 00:00:00 2001
From: GareArc <chen4851@purdue.edu>
Date: Fri, 30 May 2025 16:10:48 +0800
Subject: [PATCH] fix: prevent webapp token used in console

---
 api/extensions/ext_login.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/api/extensions/ext_login.py b/api/extensions/ext_login.py
index 80fee7ccd8..b8c8218b03 100644
--- a/api/extensions/ext_login.py
+++ b/api/extensions/ext_login.py
@@ -37,6 +37,9 @@ def load_user_from_request(request_from_flask_login):
             raise Unauthorized("Invalid Authorization token.")
         decoded = PassportService().verify(auth_token)
         user_id = decoded.get("user_id")
+        source = decoded.get("token_source")
+        if source:
+            raise Unauthorized("Invalid Authorization token.")
         if not user_id:
             raise Unauthorized("Invalid Authorization token.")