idanoo/autobrr
1
0
Fork 0
mirror of https://github.com/idanoo/autobrr synced 2025-07-23 08:49:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(auth): too restrictive session handling (#933)

Browse source
This commit is contained in:
ze0s 2023-05-15 19:09:06 +02:00 committed by GitHub
parent 71ffbe0e43
commit 97333d334f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

30
internal/http/auth.go
View file

@ -74,18 +74,15 @@ func (h authHandler) login(w http.ResponseWriter, r *http.Request) {
h.cookieStore.Options.SameSite = http.SameSiteStrictMode h.cookieStore.Options.SameSite = http.SameSiteStrictMode
} }
session, err := h.cookieStore.Get(r, "user_session") if _, err := h.service.Login(ctx, data.Username, data.Password); err != nil {
if err != nil {
h.encoder.StatusError(w, http.StatusInternalServerError, errors.New("could not get session"))
return
}
if _, err = h.service.Login(ctx, data.Username, data.Password); err != nil {
h.log.Error().Err(err).Msgf("Auth: Failed login attempt username: [%s] ip: %s", data.Username, ReadUserIP(r)) h.log.Error().Err(err).Msgf("Auth: Failed login attempt username: [%s] ip: %s", data.Username, ReadUserIP(r))
h.encoder.StatusError(w, http.StatusUnauthorized, errors.New("could not login: bad credentials")) h.encoder.StatusError(w, http.StatusUnauthorized, errors.New("could not login: bad credentials"))
return return
} }
// create new session
session, _ := h.cookieStore.Get(r, "user_session")
// Set user as authenticated // Set user as authenticated
session.Values["authenticated"] = true session.Values["authenticated"] = true
if err := session.Save(r, w); err != nil { if err := session.Save(r, w); err != nil {
@ -97,13 +94,10 @@ func (h authHandler) login(w http.ResponseWriter, r *http.Request) {
} }
func (h authHandler) logout(w http.ResponseWriter, r *http.Request) { func (h authHandler) logout(w http.ResponseWriter, r *http.Request) {
session, err := h.cookieStore.Get(r, "user_session") session, _ := h.cookieStore.Get(r, "user_session")
if err != nil {
h.log.Error().Err(err).Msg("could not get session")
h.encoder.StatusError(w, http.StatusInternalServerError, errors.New("could not get session"))
return
}
// cookieStore.Get will create a new session if it does not exist
// so if it created a new then lets just return without saving it
if session.IsNew { if session.IsNew {
h.encoder.StatusResponse(w, http.StatusNoContent, nil) h.encoder.StatusResponse(w, http.StatusNoContent, nil)
return return
@ -128,10 +122,6 @@ func (h authHandler) onboard(w http.ResponseWriter, r *http.Request) {
// Don't proceed if user is authenticated // Don't proceed if user is authenticated
if authenticated, ok := session.Values["authenticated"].(bool); ok { if authenticated, ok := session.Values["authenticated"].(bool); ok {
if ok && authenticated { if ok && authenticated {
session.Values["authenticated"] = false
session.Options.MaxAge = -1
session.Save(r, w)
h.encoder.StatusError(w, http.StatusForbidden, errors.New("active session found")) h.encoder.StatusError(w, http.StatusForbidden, errors.New("active session found"))
return return
} }
@ -172,11 +162,7 @@ func (h authHandler) canOnboard(w http.ResponseWriter, r *http.Request) {
} }
func (h authHandler) validate(w http.ResponseWriter, r *http.Request) { func (h authHandler) validate(w http.ResponseWriter, r *http.Request) {
session, err := h.cookieStore.Get(r, "user_session") session, _ := h.cookieStore.Get(r, "user_session")
if err != nil {
h.encoder.StatusError(w, http.StatusInternalServerError, errors.New("could not get session"))
return
}
// Check if user is authenticated // Check if user is authenticated
if auth, ok := session.Values["authenticated"].(bool); !ok || !auth { if auth, ok := session.Values["authenticated"].(bool); !ok || !auth {