fix: authentization bug

semaphoreui · Mar 13, 2023 · 3e4a62b · 3e4a62b
1 parent f62cea4
commit 3e4a62b
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 22 deletions.
diff --git a/api/auth.go b/api/auth.go
@@ -11,7 +11,7 @@ import (
  "time"
 )
 
-func authenticationHandler(w http.ResponseWriter, r *http.Request) {
+func authenticationHandler(w http.ResponseWriter, r *http.Request) bool {
  var userID int
 
  authHeader := strings.ToLower(r.Header.Get("authorization"))
@@ -25,7 +25,7 @@ func authenticationHandler(w http.ResponseWriter, r *http.Request) {
  }
 
  w.WriteHeader(http.StatusUnauthorized)
- return
+ return false
  }
 
  userID = token.UserID
@@ -34,20 +34,20 @@ func authenticationHandler(w http.ResponseWriter, r *http.Request) {
  cookie, err := r.Cookie("semaphore")
  if err != nil {
  w.WriteHeader(http.StatusUnauthorized)
- return
+ return false
  }
 
  value := make(map[string]interface{})
  if err = util.Cookie.Decode("semaphore", cookie.Value, &value); err != nil {
  w.WriteHeader(http.StatusUnauthorized)
- return
+ return false
  }
 
  user, ok := value["user"]
  sessionVal, okSession := value["session"]
  if !ok || !okSession {
  w.WriteHeader(http.StatusUnauthorized)
- return
+ return false
  }
 
  userID = user.(int)
@@ -58,7 +58,7 @@ func authenticationHandler(w http.ResponseWriter, r *http.Request) {
 
  if err != nil {
  w.WriteHeader(http.StatusUnauthorized)
- return
+ return false
  }
 
  if time.Since(session.LastActive).Hours() > 7*24 {
@@ -70,13 +70,13 @@ func authenticationHandler(w http.ResponseWriter, r *http.Request) {
  }
 
  w.WriteHeader(http.StatusUnauthorized)
- return
+ return false
  }
 
  if err := helpers.Store(r).TouchSession(userID, sessionID); err != nil {
  log.Error(err)
  w.WriteHeader(http.StatusUnauthorized)
- return
+ return false
  }
  }
 
@@ -87,26 +87,29 @@ func authenticationHandler(w http.ResponseWriter, r *http.Request) {
  log.Error(err)
  }
  w.WriteHeader(http.StatusUnauthorized)
- return
+ return false
  }
 
  if util.Config.DemoMode {
  if !user.Admin && r.Method != "GET" &&
  !strings.HasSuffix(r.URL.Path, "/tasks") &&
  !strings.HasSuffix(r.URL.Path, "/stop") {
  w.WriteHeader(http.StatusUnauthorized)
- return
+ return false
  }
  }
 
  context.Set(r, "user", &user)
+ return true
 }
 
 // nolint: gocyclo
 func authentication(next http.Handler) http.Handler {
  return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
- authenticationHandler(w, r)
- next.ServeHTTP(w, r)
+ ok := authenticationHandler(w, r)
+ if ok {
+ next.ServeHTTP(w, r)
+ }
  })
 }
 
@@ -115,10 +118,14 @@ func authenticationWithStore(next http.Handler) http.Handler {
  return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  store := helpers.Store(r)
 
+ var ok bool
+
  db.StoreSession(store, r.URL.String(), func() {
- authenticationHandler(w, r)
+ ok = authenticationHandler(w, r)
  })
 
- next.ServeHTTP(w, r)
+ if ok {
+ next.ServeHTTP(w, r)
+ }
  })
 }
diff --git a/api/router.go b/api/router.go
@@ -348,16 +348,8 @@ func servePublic(w http.ResponseWriter, r *http.Request) {
 }
 
 func getSystemInfo(w http.ResponseWriter, r *http.Request) {
- //updateAvailable, err := util.CheckUpdate()
-
- //if err != nil {
- // helpers.WriteError(w, err)
- // return
- //}
-
  body := map[string]interface{}{
  "version": util.Version,
- //"update": updateAvailable,
  "ansible": util.AnsibleVersion(),
  "demo": util.Config.DemoMode,
  }