refactor: bot suggestions

internal/auth/auth.go

@@ -127,12 +127,21 @@ func (auth *Auth) VerifyUser(search types.UserSearch, password string) bool {
 			}
 
 			// If bind is successful, rebind with the LDAP bind user
-			auth.LDAP.Bind(auth.LDAP.Config.BindDN, auth.LDAP.Config.BindPassword)
+			err = auth.LDAP.Bind(auth.LDAP.Config.BindDN, auth.LDAP.Config.BindPassword)
+			if err != nil {
+				log.Error().Err(err).Msg("Failed to rebind with service account after user authentication")
+				// Consider closing the connection or creating a new one
+				return false
+			}
+
 			log.Debug().Str("username", search.Username).Msg("LDAP authentication successful")
 
 			// Return true if the bind was successful
 			return true
 		}
+	default:
+		log.Warn().Str("type", search.Type).Msg("Unknown user type for authentication")
+		return false
 	}
 
 	// If no user found or authentication failed, return false

internal/ldap/ldap.go

@@ -18,6 +18,7 @@ func NewLDAP(config types.LdapConfig) (*LDAP, error) {
 	// Connect to the LDAP server
 	conn, err := ldapgo.DialURL(config.Address, ldapgo.DialWithTLSConfig(&tls.Config{
 		InsecureSkipVerify: config.Insecure,
+		MinVersion:         tls.VersionTLS12,
 	}))
 	if err != nil {
 		return nil, err
@@ -37,11 +38,15 @@ func NewLDAP(config types.LdapConfig) (*LDAP, error) {
 }
 
 func (l *LDAP) Search(username string) (string, error) {
+	// Escape the username to prevent LDAP injection
+	escapedUsername := ldapgo.EscapeFilter(username)
+	filter := fmt.Sprintf(l.Config.SearchFilter, escapedUsername)
+
 	// Create a search request to find the user by username
 	searchRequest := ldapgo.NewSearchRequest(
 		l.BaseDN,
 		ldapgo.ScopeWholeSubtree, ldapgo.NeverDerefAliases, 0, 0, false,
-		fmt.Sprintf(l.Config.SearchFilter, username),
+		filter,
 		[]string{"dn"},
 		nil,
 	)