Summary
buildResourceUrl in src/auth/middleware.js uses request.hostname which in Fastify returns the hostname without port (e.g. localhost). But ACLs reference full URLs with port (e.g. http://localhost:4443/alice/public/premium.json).
The constructed resourceUrl http://localhost/alice/... never matches the ACL's accessTo of http://localhost:4443/alice/..., so conditional authorizations (like PaymentCondition) fail even when they should pass.
Reproduction
jss start --pay (runs on port 4443)- Create resource and ACL with
accessTo: http://localhost:4443/alice/public/premium.json
- PaymentCondition with amount 0, deposit sats, try to access
- Gets 402 even though balance exists — because URL doesn't match
Fix
Use request.headers.host (includes port) instead of request.hostname (strips port) in buildResourceUrl.
Impact
Affects all ACL matching on non-standard ports. Default port 4443 is always affected. Only port 80/443 would accidentally work since browsers omit those from Host headers.
Summary
buildResourceUrlinsrc/auth/middleware.jsusesrequest.hostnamewhich in Fastify returns the hostname without port (e.g.localhost). But ACLs reference full URLs with port (e.g.http://localhost:4443/alice/public/premium.json).The constructed resourceUrl
http://localhost/alice/...never matches the ACL'saccessToofhttp://localhost:4443/alice/..., so conditional authorizations (like PaymentCondition) fail even when they should pass.Reproduction
jss start --pay(runs on port 4443)accessTo: http://localhost:4443/alice/public/premium.jsonFix
Use
request.headers.host(includes port) instead ofrequest.hostname(strips port) inbuildResourceUrl.Impact
Affects all ACL matching on non-standard ports. Default port 4443 is always affected. Only port 80/443 would accidentally work since browsers omit those from Host headers.