fix: coderabbit suggestions

2026-02-27 19:32:00 +00:00 · 2025-08-26 14:31:09 +03:00
parent d3c40bb366
commit a5e1ae096b
19 changed files with 178 additions and 47 deletions
--- a/internal/controller/oauth_controller.go
+++ b/internal/controller/oauth_controller.go
@@ -23,6 +23,7 @@ type OAuthControllerConfig struct {
 	RedirectCookieName string
 	SecureCookie       bool
 	AppURL             string
+	Domain             string
 }

 type OAuthController struct {
@@ -77,7 +78,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {

 	redirectURI := c.Query("redirect_uri")

-	if redirectURI != "" {
+	if redirectURI != "" && utils.IsRedirectSafe(redirectURI, controller.Config.Domain) {
 		log.Debug().Msg("Setting redirect URI cookie")
 		c.SetCookie(controller.Config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", "", controller.Config.SecureCookie, true)
 	}
@@ -178,7 +179,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {

 	redirectURI, err := c.Cookie(controller.Config.RedirectCookieName)

-	if err != nil {
+	if err != nil || !utils.IsRedirectSafe(redirectURI, controller.Config.Domain) {
 		log.Debug().Msg("No redirect URI cookie found, redirecting to app root")
 		c.Redirect(http.StatusTemporaryRedirect, controller.Config.AppURL)
 		return
@@ -195,5 +196,5 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	}

 	c.SetCookie(controller.Config.RedirectCookieName, "", -1, "/", "", controller.Config.SecureCookie, true)
-	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/login?%s", controller.Config.AppURL, queries.Encode()))
+	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.Config.AppURL, queries.Encode()))
 }
--- a/internal/controller/proxy_controller.go
+++ b/internal/controller/proxy_controller.go
@@ -128,6 +128,7 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 		if err != nil {
 			log.Error().Err(err).Msg("Failed to encode unauthorized query")
 			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.Config.AppURL))
+			return
 		}

 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.Config.AppURL, queries.Encode()))
@@ -212,9 +213,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 			})

 			if userContext.OAuth {
-				queries.Set("username", userContext.Username)
-			} else {
 				queries.Set("username", userContext.Email)
+			} else {
+				queries.Set("username", userContext.Username)
 			}

 			if err != nil {
@@ -247,9 +248,9 @@ func (controller *ProxyController) proxyHandler(c *gin.Context) {
 				})

 				if userContext.OAuth {
-					queries.Set("username", userContext.Username)
-				} else {
 					queries.Set("username", userContext.Email)
+				} else {
+					queries.Set("username", userContext.Username)
 				}

 				if err != nil {
--- a/internal/controller/resources_controller.go
+++ b/internal/controller/resources_controller.go
@@ -11,14 +11,18 @@ type ResourcesControllerConfig struct {
 }

 type ResourcesController struct {
-	Config ResourcesControllerConfig
-	Router *gin.RouterGroup
+	Config     ResourcesControllerConfig
+	Router     *gin.RouterGroup
+	FileServer http.Handler
 }

 func NewResourcesController(config ResourcesControllerConfig, router *gin.RouterGroup) *ResourcesController {
+	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(config.ResourcesDir)))
+
 	return &ResourcesController{
-		Config: config,
-		Router: router,
+		Config:     config,
+		Router:     router,
+		FileServer: fileServer,
 	}
 }

@@ -27,6 +31,12 @@ func (controller *ResourcesController) SetupRoutes() {
 }

 func (controller *ResourcesController) resourcesHandler(c *gin.Context) {
-	fileServer := http.StripPrefix("/resources", http.FileServer(http.Dir(controller.Config.ResourcesDir)))
-	fileServer.ServeHTTP(c.Writer, c.Request)
+	if controller.Config.ResourcesDir == "" {
+		c.JSON(404, gin.H{
+			"status":  404,
+			"message": "Resources not found",
+		})
+		return
+	}
+	controller.FileServer.ServeHTTP(c.Writer, c.Request)
 }
--- a/internal/controller/user_controller.go
+++ b/internal/controller/user_controller.go
@@ -112,7 +112,7 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		if user.TotpSecret != "" {
 			log.Debug().Str("username", req.Username).Msg("User has TOTP enabled, requiring TOTP verification")

-			controller.Auth.CreateSessionCookie(c, &config.SessionCookie{
+			err := controller.Auth.CreateSessionCookie(c, &config.SessionCookie{
 				Username:    user.Username,
 				Name:        utils.Capitalize(req.Username),
 				Email:       fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.Config.Domain),
@@ -120,6 +120,15 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 				TotpPending: true,
 			})

+			if err != nil {
+				log.Error().Err(err).Msg("Failed to create session cookie")
+				c.JSON(500, gin.H{
+					"status":  500,
+					"message": "Internal Server Error",
+				})
+				return
+			}
+
 			c.JSON(200, gin.H{
 				"status":      200,
 				"message":     "TOTP required",
@@ -129,13 +138,22 @@ func (controller *UserController) loginHandler(c *gin.Context) {
 		}
 	}

-	controller.Auth.CreateSessionCookie(c, &config.SessionCookie{
+	err = controller.Auth.CreateSessionCookie(c, &config.SessionCookie{
 		Username: req.Username,
 		Name:     utils.Capitalize(req.Username),
 		Email:    fmt.Sprintf("%s@%s", strings.ToLower(req.Username), controller.Config.Domain),
 		Provider: "username",
 	})

+	if err != nil {
+		log.Error().Err(err).Msg("Failed to create session cookie")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
 	c.JSON(200, gin.H{
 		"status":  200,
 		"message": "Login successful",
@@ -144,7 +162,9 @@ func (controller *UserController) loginHandler(c *gin.Context) {

 func (controller *UserController) logoutHandler(c *gin.Context) {
 	log.Debug().Msg("Logout request received")
+
 	controller.Auth.DeleteSessionCookie(c)
+
 	c.JSON(200, gin.H{
 		"status":  200,
 		"message": "Logout successful",
@@ -175,8 +195,8 @@ func (controller *UserController) totpHandler(c *gin.Context) {
 		return
 	}

-	if !context.IsLoggedIn {
-		log.Warn().Msg("TOTP attempt without being logged in")
+	if !context.TotpPending {
+		log.Warn().Msg("TOTP attempt without a pending TOTP session")
 		c.JSON(401, gin.H{
 			"status":  401,
 			"message": "Unauthorized",
@@ -223,13 +243,22 @@ func (controller *UserController) totpHandler(c *gin.Context) {

 	controller.Auth.RecordLoginAttempt(rateIdentifier, true)

-	controller.Auth.CreateSessionCookie(c, &config.SessionCookie{
+	err = controller.Auth.CreateSessionCookie(c, &config.SessionCookie{
 		Username: user.Username,
 		Name:     utils.Capitalize(user.Username),
 		Email:    fmt.Sprintf("%s@%s", strings.ToLower(user.Username), controller.Config.Domain),
 		Provider: "username",
 	})

+	if err != nil {
+		log.Error().Err(err).Msg("Failed to create session cookie")
+		c.JSON(500, gin.H{
+			"status":  500,
+			"message": "Internal Server Error",
+		})
+		return
+	}
+
 	c.JSON(200, gin.H{
 		"status":  200,
 		"message": "Login successful",