From dd7b6f44f2939714c0faf0af69b28311844b7f47 Mon Sep 17 00:00:00 2001
From: qwerty287 <qwerty287@posteo.de>
Date: Sat, 21 Mar 2026 10:32:10 +0100
Subject: [PATCH] Prevent registering as arbitrary agents with system token

---
 server/rpc/auth_server.go | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/server/rpc/auth_server.go b/server/rpc/auth_server.go
index d14fd91215c..aef148c2be0 100644
--- a/server/rpc/auth_server.go
+++ b/server/rpc/auth_server.go
@@ -76,10 +76,17 @@ func (s *WoodpeckerAuthServer) getAgent(agentID int64, agentToken string) (*mode
 
 		if agentToken == s.agentMasterToken {
 			agent, err := s.store.AgentFind(agentID)
-			if err != nil && errors.Is(err, types.ErrRecordNotExist) {
-				return nil, fmt.Errorf("AgentID not found in database")
+			if err != nil {
+				if errors.Is(err, types.ErrRecordNotExist) {
+					return nil, fmt.Errorf("AgentID not found in database")
+				} else {
+					return nil, err
+				}
+			}
+			if !agent.IsSystemAgent() {
+				return nil, fmt.Errorf("the agent with this ID is not a system agent")
 			}
-			return agent, err
+			return agent, nil
 		}
 	}