From 934f6cabf6269dc8656705737266c8dc7118258f Mon Sep 17 00:00:00 2001
From: Poorna <poornas@users.noreply.github.com>
Date: Thu, 7 Mar 2024 14:30:00 -0800
Subject: [PATCH] sr: use site replicator creds to verify temp user claims
 (#19224)

This PR continues #19209 which did not handle claims verification of
temporary users created by root in site replication scenario.

Fixes: #19217
---
 cmd/auth-handler.go | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/cmd/auth-handler.go b/cmd/auth-handler.go
index ad04515e7..752fdd530 100644
--- a/cmd/auth-handler.go
+++ b/cmd/auth-handler.go
@@ -298,15 +298,15 @@ func checkClaimsFromToken(r *http.Request, cred auth.Credentials) (map[string]in
 	if cred.IsTemp() && cred.IsExpired() {
 		return nil, toAPIErrorCode(r.Context(), errInvalidAccessKeyID)
 	}
-
 	secret := globalActiveCred.SecretKey
-	var err error
 	if globalSiteReplicationSys.isEnabled() && cred.AccessKey != siteReplicatorSvcAcc {
-		if cred.ParentUser != globalActiveCred.AccessKey {
-			secret, err = getTokenSigningKey()
-			if err != nil {
-				return nil, toAPIErrorCode(r.Context(), err)
-			}
+		nsecret, err := getTokenSigningKey()
+		if err != nil {
+			return nil, toAPIErrorCode(r.Context(), err)
+		}
+		// sign root's temporary accounts also with site replicator creds
+		if cred.ParentUser != globalActiveCred.AccessKey || cred.IsTemp() {
+			secret = nsecret
 		}
 	}
 	if cred.IsServiceAccount() {