From dd84b93ac3c12635f3899e66918cafade7d911a0 Mon Sep 17 00:00:00 2001
From: Silvan <silvan.reusser@gmail.com>
Date: Mon, 3 Apr 2023 14:56:37 +0200
Subject: [PATCH] fix(token): filter users by instance id (#5596)

* fix(token): filter users by instance id
---
 .github/pull_request_template.md                           | 1 +
 .../repository/eventsourcing/eventstore/refresh_token.go   | 1 +
 internal/auth/repository/eventsourcing/eventstore/token.go | 1 +
 internal/eventstore/v1/internal/repository/sql/filter.go   | 4 ++++
 internal/eventstore/v1/models/search_query.go              | 7 +++++--
 5 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
index 557cafe0a7..47b5f137d0 100644
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -1,5 +1,6 @@
 ```[tasklist]
 ### Definition of Ready
+
 - [ ] I am happy with the code
 - [ ] Short description of the feature/issue is added in the pr description
 - [ ] PR is linked to the corresponding user story
diff --git a/internal/auth/repository/eventsourcing/eventstore/refresh_token.go b/internal/auth/repository/eventsourcing/eventstore/refresh_token.go
index a57c7e748c..33ea1d868c 100644
--- a/internal/auth/repository/eventsourcing/eventstore/refresh_token.go
+++ b/internal/auth/repository/eventsourcing/eventstore/refresh_token.go
@@ -50,6 +50,7 @@ func (r *RefreshTokenRepo) RefreshTokenByID(ctx context.Context, tokenID, userID
 		tokenView = new(model.RefreshTokenView)
 		tokenView.ID = tokenID
 		tokenView.UserID = userID
+		tokenView.InstanceID = authz.GetInstance(ctx).InstanceID()
 	}
 
 	events, esErr := r.getUserEvents(ctx, userID, tokenView.InstanceID, tokenView.Sequence)
diff --git a/internal/auth/repository/eventsourcing/eventstore/token.go b/internal/auth/repository/eventsourcing/eventstore/token.go
index 46a80f2bfa..ec982ea3b2 100644
--- a/internal/auth/repository/eventsourcing/eventstore/token.go
+++ b/internal/auth/repository/eventsourcing/eventstore/token.go
@@ -42,6 +42,7 @@ func (repo *TokenRepo) TokenByIDs(ctx context.Context, userID, tokenID string) (
 		token = new(model.TokenView)
 		token.ID = tokenID
 		token.UserID = userID
+		token.InstanceID = authz.GetInstance(ctx).InstanceID()
 	}
 
 	events, esErr := repo.getUserEvents(ctx, userID, token.InstanceID, token.Sequence)
diff --git a/internal/eventstore/v1/internal/repository/sql/filter.go b/internal/eventstore/v1/internal/repository/sql/filter.go
index 0ae8bb3ae1..5674972de6 100644
--- a/internal/eventstore/v1/internal/repository/sql/filter.go
+++ b/internal/eventstore/v1/internal/repository/sql/filter.go
@@ -3,6 +3,7 @@ package sql
 import (
 	"context"
 	"database/sql"
+	"runtime/debug"
 
 	"github.com/zitadel/logging"
 
@@ -17,6 +18,9 @@ type Querier interface {
 }
 
 func (db *SQL) Filter(ctx context.Context, searchQuery *es_models.SearchQueryFactory) (events []*es_models.Event, err error) {
+	if !searchQuery.InstanceFiltered {
+		logging.WithFields("stack", string(debug.Stack())).Warn("instanceid not filtered")
+	}
 	return filter(ctx, db.client, searchQuery)
 }
 
diff --git a/internal/eventstore/v1/models/search_query.go b/internal/eventstore/v1/models/search_query.go
index 7f0179ee9e..ea8570ab02 100644
--- a/internal/eventstore/v1/models/search_query.go
+++ b/internal/eventstore/v1/models/search_query.go
@@ -13,6 +13,8 @@ type SearchQueryFactory struct {
 	limit   uint64
 	desc    bool
 	queries []*query
+
+	InstanceFiltered bool
 }
 
 type query struct {
@@ -42,11 +44,11 @@ const (
 	Columns_Event = iota
 	Columns_Max_Sequence
 	Columns_InstanceIDs
-	//insert new columns-types before this columnsCount because count is needed for validation
+	// insert new columns-types before this columnsCount because count is needed for validation
 	columnsCount
 )
 
-//FactoryFromSearchQuery is deprecated because it's for migration purposes. use NewSearchQueryFactory
+// FactoryFromSearchQuery is deprecated because it's for migration purposes. use NewSearchQueryFactory
 func FactoryFromSearchQuery(q *SearchQuery) *SearchQueryFactory {
 	factory := &SearchQueryFactory{
 		columns: q.Columns,
@@ -76,6 +78,7 @@ func FactoryFromSearchQuery(q *SearchQuery) *SearchQueryFactory {
 			case Field_ResourceOwner:
 				factory.queries[i] = factory.queries[i].ResourceOwner(filter.value.(string))
 			case Field_InstanceID:
+				factory.InstanceFiltered = true
 				if filter.operation == Operation_Equals {
 					factory.queries[i] = factory.queries[i].InstanceID(filter.value.(string))
 				} else if filter.operation == Operation_NotIn {