From 38eedbf15fc1b12cac05e488dc1e12be5d061c73 Mon Sep 17 00:00:00 2001
From: Jun Luo <luojun96@live.cn>
Date: Fri, 8 May 2026 16:25:48 +0800
Subject: [PATCH] Allow access tokens and align EE/CE MustUserOrgApiKey with
 SaaS validation and logging.

---
 api/middleware/authenticator_ce.go | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/api/middleware/authenticator_ce.go b/api/middleware/authenticator_ce.go
index aa18ae831..0cf3c2a71 100644
--- a/api/middleware/authenticator_ce.go
+++ b/api/middleware/authenticator_ce.go
@@ -3,10 +3,12 @@
 package middleware
 
 import (
+	"fmt"
+	"log/slog"
+
 	"github.com/gin-gonic/gin"
 	"opencsg.com/csghub-server/api/httpbase"
 	"opencsg.com/csghub-server/common/config"
-	"opencsg.com/csghub-server/common/errorx"
 )
 
 func NeedPhoneVerified(config *config.Config) gin.HandlerFunc {
@@ -17,9 +19,22 @@ func MustUserOrgApiKey(config *config.Config) gin.HandlerFunc {
 	return func(ctx *gin.Context) {
 		authType := httpbase.GetAuthType(ctx)
 		apikey := httpbase.GetAccessToken(ctx)
+		tokenName := httpbase.GetCurrentTokenName(ctx)
 		currentNamespaceUUID := httpbase.GetCurrentNamespaceUUID(ctx)
-		if authType != httpbase.AuthTypeUserOrgApiKey || currentNamespaceUUID == "" || apikey == "" {
-			httpbase.UnauthorizedError(ctx, errorx.ErrUnauthorized)
+		if len(currentNamespaceUUID) < 1 {
+			currentNamespaceUUID = httpbase.GetCurrentUserUUID(ctx)
+			httpbase.SetCurrentNamespaceUUID(ctx, currentNamespaceUUID)
+		}
+		if authType != httpbase.AuthTypeUserOrgApiKey && authType != httpbase.AuthTypeAccessToken {
+			slog.ErrorContext(ctx.Request.Context(), "invalid auth type", slog.Any("authType", authType), slog.Any("nsuuid", currentNamespaceUUID), slog.String("tokenName", tokenName))
+			httpbase.UnauthorizedError(ctx, fmt.Errorf("token %s invalid auth type", tokenName))
+			ctx.Abort()
+			return
+		}
+		if len(currentNamespaceUUID) < 1 || len(apikey) < 1 {
+			slog.ErrorContext(ctx.Request.Context(), "invalid token",
+				slog.Any("nsuuid", currentNamespaceUUID), slog.String("tokenName", tokenName))
+			httpbase.UnauthorizedError(ctx, fmt.Errorf("token %s invalid", tokenName))
 			ctx.Abort()
 			return
 		}