From 33323887ec10449f30d596fab65d6cb612365f1e Mon Sep 17 00:00:00 2001
From: iandyh <mail@andyh.io>
Date: Tue, 12 Dec 2023 16:24:19 +0900
Subject: [PATCH] add ownership to metrics streaming as well

---
 shibuya/api/main.go | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/shibuya/api/main.go b/shibuya/api/main.go
index 280989cd..ec96691d 100644
--- a/shibuya/api/main.go
+++ b/shibuya/api/main.go
@@ -733,7 +733,11 @@ func (s *ShibuyaAPI) planLogHandler(w http.ResponseWriter, r *http.Request, para
 }
 
 func (s *ShibuyaAPI) streamCollectionMetrics(w http.ResponseWriter, r *http.Request, params httprouter.Params) {
-	// Currently we don't do authentication for simplicity.
+	collection, err := checkCollectionOwnership(r, params)
+	if err != nil {
+		s.handleErrors(w, err)
+		return
+	}
 	flusher, ok := w.(http.Flusher)
 	if !ok {
 		http.Error(w, "Streaming unsupported!", http.StatusInternalServerError)
@@ -744,11 +748,6 @@ func (s *ShibuyaAPI) streamCollectionMetrics(w http.ResponseWriter, r *http.Requ
 	w.Header().Set("Connection", "keep-alive")
 	w.Header().Set("Access-Control-Allow-Origin", "*")
 
-	collection, err := getCollection(params.ByName("collection_id"))
-	if err != nil {
-		s.handleErrors(w, err)
-		return
-	}
 	clientIP := retrieveClientIP(r)
 	item := &controller.ApiMetricStream{
 		StreamClient: make(chan *controller.ApiMetricStreamEvent),