From dc3b2bc83e61004f6fa2713898e3d7de6bd28f8f Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Sat, 5 Jul 2025 15:37:48 +0300
Subject: [PATCH] refactor: bot suggestions

---
 internal/auth/auth.go | 11 ++++++++++-
 internal/ldap/ldap.go |  7 ++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index 8a1efe2..cc17340 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -127,12 +127,21 @@ func (auth *Auth) VerifyUser(search types.UserSearch, password string) bool {
 			}
 
 			// If bind is successful, rebind with the LDAP bind user
-			auth.LDAP.Bind(auth.LDAP.Config.BindDN, auth.LDAP.Config.BindPassword)
+			err = auth.LDAP.Bind(auth.LDAP.Config.BindDN, auth.LDAP.Config.BindPassword)
+			if err != nil {
+				log.Error().Err(err).Msg("Failed to rebind with service account after user authentication")
+				// Consider closing the connection or creating a new one
+				return false
+			}
+
 			log.Debug().Str("username", search.Username).Msg("LDAP authentication successful")
 
 			// Return true if the bind was successful
 			return true
 		}
+	default:
+		log.Warn().Str("type", search.Type).Msg("Unknown user type for authentication")
+		return false
 	}
 
 	// If no user found or authentication failed, return false
diff --git a/internal/ldap/ldap.go b/internal/ldap/ldap.go
index 481eb66..4a33f46 100644
--- a/internal/ldap/ldap.go
+++ b/internal/ldap/ldap.go
@@ -18,6 +18,7 @@ func NewLDAP(config types.LdapConfig) (*LDAP, error) {
 	// Connect to the LDAP server
 	conn, err := ldapgo.DialURL(config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
 		InsecureSkipVerify: config.Insecure,
+		MinVersion:         tls.VersionTLS12,
 	}))
 	if err != nil {
 		return nil, err
@@ -37,11 +38,15 @@ func NewLDAP(config types.LdapConfig) (*LDAP, error) {
 }
 
 func (l *LDAP) Search(username string) (string, error) {
+	// Escape the username to prevent LDAP injection
+	escapedUsername := ldapgo.EscapeFilter(username)
+	filter := fmt.Sprintf(l.Config.SearchFilter, escapedUsername)
+
 	// Create a search request to find the user by username
 	searchRequest := ldapgo.NewSearchRequest(
 		l.BaseDN,
 		ldapgo.ScopeWholeSubtree, ldapgo.NeverDerefAliases, 0, 0, false,
-		fmt.Sprintf(l.Config.SearchFilter, username),
+		filter,
 		[]string{"dn"},
 		nil,
 	)