From c6a9c5cd8c061e9c268e1b6e95be5e028039a46a Mon Sep 17 00:00:00 2001
From: Evgenii Stratonikov <evgeniy@nspcc.ru>
Date: Mon, 4 Apr 2022 12:21:54 +0300
Subject: [PATCH] [#1283] services/object: Disallow creating objects without a
 session token

Signed-off-by: Evgenii Stratonikov <evgeniy@nspcc.ru>
---
 pkg/services/object/put/streamer.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/pkg/services/object/put/streamer.go b/pkg/services/object/put/streamer.go
index 3c8c0e6e4..b6d33a277 100644
--- a/pkg/services/object/put/streamer.go
+++ b/pkg/services/object/put/streamer.go
@@ -11,6 +11,7 @@ import (
 	"github.com/nspcc-dev/neofs-node/pkg/services/object_manager/placement"
 	"github.com/nspcc-dev/neofs-node/pkg/services/object_manager/transformer"
 	"github.com/nspcc-dev/neofs-sdk-go/object"
+	"github.com/nspcc-dev/neofs-sdk-go/owner"
 )
 
 type Streamer struct {
@@ -88,6 +89,12 @@ func (p *Streamer) initTarget(prm *PutInitPrm) error {
 		return fmt.Errorf("(%T) could not receive session key: %w", p, err)
 	}
 
+	// In case session token is missing, the line above returns the default key.
+	// If it isn't owner key, replication attempts will fail, thus this check.
+	if sToken == nil && !prm.hdr.OwnerID().Equal(owner.NewIDFromPublicKey(&sessionKey.PublicKey)) {
+		return fmt.Errorf("(%T) session token is missing but object owner id is different from the default key", p)
+	}
+
 	p.target = transformer.NewPayloadSizeLimiter(
 		p.maxPayloadSz,
 		func() transformer.ObjectTarget {