refactor: check cookie prior to basiv auth in context hook

2025-10-31 14:15:50 +00:00 · 2025-07-15 02:10:16 +03:00
parent 2233557990
commit f25ab72747
2 changed files with 80 additions and 84 deletions
--- a/internal/hooks/hooks.go
+++ b/internal/hooks/hooks.go
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strings"
 	"tinyauth/internal/auth"
+	"tinyauth/internal/oauth"
 	"tinyauth/internal/providers"
 	"tinyauth/internal/types"
 	"tinyauth/internal/utils"
@@ -27,28 +28,92 @@ func NewHooks(config types.HooksConfig, auth *auth.Auth, providers *providers.Pr
 }

 func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {
-	// Get session cookie and basic auth
 	cookie, err := hooks.Auth.GetSessionCookie(c)
+	var provider *oauth.OAuth
+
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to get session cookie")
+		goto basic
+	}
+
+	if cookie.TotpPending {
+		log.Debug().Msg("Totp pending")
+		return types.UserContext{
+			Username:    cookie.Username,
+			Name:        cookie.Name,
+			Email:       cookie.Email,
+			Provider:    cookie.Provider,
+			TotpPending: true,
+		}
+	}
+
+	if cookie.Provider == "username" {
+		log.Debug().Msg("Provider is username")
+
+		userSearch := hooks.Auth.SearchUser(cookie.Username)
+
+		if userSearch.Type == "unknown" {
+			log.Warn().Str("username", cookie.Username).Msg("User does not exist")
+			goto basic
+		}
+
+		log.Debug().Str("type", userSearch.Type).Msg("User exists")
+
+		return types.UserContext{
+			Username:   cookie.Username,
+			Name:       cookie.Name,
+			Email:      cookie.Email,
+			IsLoggedIn: true,
+			Provider:   "username",
+		}
+	}
+
+	log.Debug().Msg("Provider is not username")
+
+	provider = hooks.Providers.GetProvider(cookie.Provider)
+
+	if provider != nil {
+		log.Debug().Msg("Provider exists")
+
+		if !hooks.Auth.EmailWhitelisted(cookie.Email) {
+			log.Warn().Str("email", cookie.Email).Msg("Email is not whitelisted")
+			hooks.Auth.DeleteSessionCookie(c)
+			goto basic
+		}
+
+		log.Debug().Msg("Email is whitelisted")
+
+		return types.UserContext{
+			Username:    cookie.Username,
+			Name:        cookie.Name,
+			Email:       cookie.Email,
+			IsLoggedIn:  true,
+			OAuth:       true,
+			Provider:    cookie.Provider,
+			OAuthGroups: cookie.OAuthGroups,
+		}
+	}
+
+basic:
+	log.Debug().Msg("Trying basic auth")
+
 	basic := hooks.Auth.GetBasicAuth(c)

-	// Check if basic auth is set
 	if basic != nil {
 		log.Debug().Msg("Got basic auth")

 		userSearch := hooks.Auth.SearchUser(basic.Username)

 		if userSearch.Type == "unkown" {
-			log.Warn().Str("username", basic.Username).Msg("Basic auth user does not exist, skipping")
-			goto session
+			log.Error().Str("username", basic.Username).Msg("Basic auth user does not exist")
+			return types.UserContext{}
 		}

-		// Verify the user
 		if !hooks.Auth.VerifyUser(userSearch, basic.Password) {
-			log.Error().Str("username", basic.Username).Msg("Basic auth user password incorrect, skipping")
-			goto session
+			log.Error().Str("username", basic.Username).Msg("Basic auth user password incorrect")
+			return types.UserContext{}
 		}

-		// Get the user type
 		if userSearch.Type == "ldap" {
 			log.Debug().Msg("User is LDAP")

@@ -75,74 +140,5 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) types.UserContext {

 	}

-session:
-	// Check cookie error after basic auth
-	if err != nil {
-		log.Error().Err(err).Msg("Failed to get session cookie")
-		return types.UserContext{}
-	}
-
-	if cookie.TotpPending {
-		log.Debug().Msg("Totp pending")
-		return types.UserContext{
-			Username:    cookie.Username,
-			Name:        cookie.Name,
-			Email:       cookie.Email,
-			Provider:    cookie.Provider,
-			TotpPending: true,
-		}
-	}
-
-	// Check if session cookie is username/password auth
-	if cookie.Provider == "username" {
-		log.Debug().Msg("Provider is username")
-
-		userSearch := hooks.Auth.SearchUser(cookie.Username)
-
-		if userSearch.Type == "unknown" {
-			log.Error().Str("username", cookie.Username).Msg("User does not exist")
-			return types.UserContext{}
-		}
-
-		log.Debug().Str("type", userSearch.Type).Msg("User exists")
-
-		return types.UserContext{
-			Username:   cookie.Username,
-			Name:       cookie.Name,
-			Email:      cookie.Email,
-			IsLoggedIn: true,
-			Provider:   "username",
-		}
-	}
-
-	log.Debug().Msg("Provider is not username")
-
-	// The provider is not username so we need to check if it is an oauth provider
-	provider := hooks.Providers.GetProvider(cookie.Provider)
-
-	// If we have a provider with this name
-	if provider != nil {
-		log.Debug().Msg("Provider exists")
-
-		// If the email is not whitelisted we delete the cookie and return an empty context
-		if !hooks.Auth.EmailWhitelisted(cookie.Email) {
-			log.Error().Str("email", cookie.Email).Msg("Email is not whitelisted")
-			hooks.Auth.DeleteSessionCookie(c)
-			return types.UserContext{}
-		}
-
-		log.Debug().Msg("Email is whitelisted")
-
-		return types.UserContext{
-			Username:    cookie.Username,
-			Name:        cookie.Name,
-			Email:       cookie.Email,
-			IsLoggedIn:  true,
-			OAuth:       true,
-			Provider:    cookie.Provider,
-			OAuthGroups: cookie.OAuthGroups,
-		}
-	}
-
 	return types.UserContext{}
 }