chore: ignore jwt if not access controlled

tripodsan · tripodsan · commit 7abfd3254b4e · 2023-07-10T11:43:08.000+02:00
diff --git a/src/steps/authenticate.js b/src/steps/authenticate.js
@@ -36,11 +36,9 @@ export function isAllowed(email = '', allows = []) {
  * @returns {Promise<void>}
  */
 export async function authenticate(state, req, res) {
-  // get auth info
-  const authInfo = await getAuthInfo(state, req);
-
   // check if `.auth` route to validate and exchange token
   if (state.info.path === '/.auth') {
+    const authInfo = await getAuthInfo(state, req);
     await authInfo.exchangeToken(state, req, res);
     return;
   }
@@ -50,6 +48,9 @@ export async function authenticate(state, req, res) {
     return;
   }
 
+  // get auth info
+  const authInfo = await getAuthInfo(state, req);
+
   // if not authenticated, redirect to login screen
   if (!authInfo.authenticated) {
     // send 401 for plain requests
