feat(handler): validate acr if configured, change auth status if invalid

pkg/handler/acr/acr.go

@@ -21,7 +21,7 @@ func (h *Handler) Validate(sess *session.Session) error {
 
 func NewHandler(cfg *config.Config) *Handler {
 	return &Handler{
-		Enabled:       len(cfg.OpenID.ACRValues) > 0 && cfg.AutoLogin,
+		Enabled:       len(cfg.OpenID.ACRValues) > 0,
 		ExpectedValue: cfg.OpenID.ACRValues,
 	}
 }

pkg/handler/autologin/autologin.go

@@ -21,8 +21,8 @@ type AutoLogin struct {
 	cache          sync.Map
 }
 
-func (a *AutoLogin) NeedsLogin(r *http.Request, isAuthenticated, isAcrValid bool) bool {
-	if (isAuthenticated && isAcrValid) || !a.Enabled || r.Method != http.MethodGet {
+func (a *AutoLogin) NeedsLogin(r *http.Request, isAuthenticated bool) bool {
+	if isAuthenticated || !a.Enabled || r.Method != http.MethodGet {
 		return false
 	}
 

pkg/handler/error.go

@@ -69,7 +69,7 @@ func (s *Standalone) respondError(w http.ResponseWriter, r *http.Request, status
 	incrementRetryAttempt(w, r, s.GetCookieOptions(r))
 
 	attempts, ok := getRetryAttempts(r)
-	if !ok || ok && attempts < MaxAutoRetryAttempts {
+	if !ok || (ok && attempts < MaxAutoRetryAttempts) {
 		loginCookie, err := openid.GetLoginCookie(r, s.Crypter)
 		if err != nil {
 			loginCookie = nil

pkg/handler/reverseproxy.go

@@ -89,14 +89,13 @@ func (rp *ReverseProxy) Handler(src ReverseProxySource, w http.ResponseWriter, r
 		logger.Errorf("default: unauthenticated: unexpected error: %+v", err)
 	}
 
-	isAcrValid := true
 	err = src.GetAcrHandler().Validate(sess)
 	if err != nil {
-		isAcrValid = false
-		logger.Infof("default: acr: %+v; checking for autologin...", err)
+		isAuthenticated = false
+		logger.Infof("default: unauthenticated: acr: %+v; checking for autologin...", err)
 	}
 
-	if src.GetAutoLogin().NeedsLogin(r, isAuthenticated, isAcrValid) {
+	if src.GetAutoLogin().NeedsLogin(r, isAuthenticated) {
 		loginRedirect(src, w, r, "request matches autologin")
 		return
 	}