From 59b2dd1d6622ea4264d76d90b656e813afc95d61 Mon Sep 17 00:00:00 2001
From: Trong Huu Nguyen <trong.huu.nguyen@nav.no>
Date: Tue, 2 May 2023 08:33:12 +0200
Subject: [PATCH] fix(handler/reverseproxy): only trigger acr step up for
 non-ignored autologin paths

---
 pkg/handler/autologin/autologin.go | 4 ++--
 pkg/handler/reverseproxy.go        | 7 ++++---
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/pkg/handler/autologin/autologin.go b/pkg/handler/autologin/autologin.go
index 734d421..983e6bd 100644
--- a/pkg/handler/autologin/autologin.go
+++ b/pkg/handler/autologin/autologin.go
@@ -21,8 +21,8 @@ type AutoLogin struct {
 	cache          sync.Map
 }
 
-func (a *AutoLogin) NeedsLogin(r *http.Request, isAuthenticated bool) bool {
-	if isAuthenticated || !a.Enabled || r.Method != http.MethodGet {
+func (a *AutoLogin) NeedsLogin(r *http.Request, isAuthenticated, isAcrValid bool) bool {
+	if (isAuthenticated && isAcrValid) || !a.Enabled || r.Method != http.MethodGet {
 		return false
 	}
 
diff --git a/pkg/handler/reverseproxy.go b/pkg/handler/reverseproxy.go
index 8fa1aac..9d11479 100644
--- a/pkg/handler/reverseproxy.go
+++ b/pkg/handler/reverseproxy.go
@@ -84,13 +84,14 @@ func (rp *ReverseProxy) Handler(src ReverseProxySource, w http.ResponseWriter, r
 		logger.Errorf("default: unauthenticated: unexpected error: %+v", err)
 	}
 
+	isAcrValid := true
 	err = src.GetAcrHandler().Validate(sess)
 	if err != nil {
-		loginRedirect(src, w, r, err.Error())
-		return
+		isAcrValid = false
+		logger.Infof("default: acr: %+v; checking for autologin...", err)
 	}
 
-	if src.GetAutoLogin().NeedsLogin(r, isAuthenticated) {
+	if src.GetAutoLogin().NeedsLogin(r, isAuthenticated, isAcrValid) {
 		loginRedirect(src, w, r, "request matches autologin")
 		return
 	}