From 00f92bfb9444fd623841c6bb59cb0916db44dcab Mon Sep 17 00:00:00 2001
From: GareArc <chen4851@purdue.edu>
Date: Fri, 30 May 2025 16:10:48 +0800
Subject: [PATCH] fix: prevent webapp token used in console

---
 api/extensions/ext_login.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/api/extensions/ext_login.py b/api/extensions/ext_login.py
index 10fb89eb73..d23ca96ec2 100644
--- a/api/extensions/ext_login.py
+++ b/api/extensions/ext_login.py
@@ -35,6 +35,9 @@ def load_user_from_request(request_from_flask_login):
 
     decoded = PassportService().verify(auth_token)
     user_id = decoded.get("user_id")
+    source = decoded.get("token_source")
+    if source:
+        raise Unauthorized("Invalid Authorization token.")
 
     logged_in_account = AccountService.load_logged_in_account(account_id=user_id)
     return logged_in_account