Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unused s.requireNoAuth? #72

Open
kriive opened this issue Apr 29, 2022 · 0 comments
Open

Unused s.requireNoAuth? #72

kriive opened this issue Apr 29, 2022 · 0 comments

Comments

@kriive
Copy link

kriive commented Apr 29, 2022

The requireNoAuth middleware should redirect users to the homepage if they are already logged.

wtf/http/server.go

Lines 111 to 116 in 05bc90c

// Register unauthenticated routes.
{
r := s.router.PathPrefix("/").Subrouter()
r.Use(s.requireNoAuth)
s.registerAuthRoutes(r)
}

But if they are required to be not logged, how can they issue a logout, since the route is protected by the requireNoAuth middleware?

wtf/http/auth.go

Lines 19 to 24 in 05bc90c

func (s *Server) registerAuthRoutes(r *mux.Router) {
r.HandleFunc("/login", s.handleLogin).Methods("GET")
r.HandleFunc("/logout", s.handleLogout).Methods("DELETE")
r.HandleFunc("/oauth/github", s.handleOAuthGitHub).Methods("GET")
r.HandleFunc("/oauth/github/callback", s.handleOAuthGitHubCallback).Methods("GET")
}

My guess is that the mux subrouter doesn't authenticate the user (note the s.router.PathPrefix("/") and not router.PathPrefix("/")), so the requireNoAuth always delegates to the next handler, thus no restrictions are actually in place.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant