From 97f0d078bfb24f4531be0e90f2bd17aa94dfe3e8 Mon Sep 17 00:00:00 2001
From: Trong Huu Nguyen <trong.huu.nguyen@nav.no>
Date: Fri, 12 May 2023 08:45:18 +0200
Subject: [PATCH] feat(handler): validate acr if configured, change auth status
 if invalid

---
 pkg/handler/acr/acr.go             | 2 +-
 pkg/handler/autologin/autologin.go | 4 ++--
 pkg/handler/error.go               | 2 +-
 pkg/handler/reverseproxy.go        | 7 +++----
 4 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/pkg/handler/acr/acr.go b/pkg/handler/acr/acr.go
index ace7134..a7af7d9 100644
--- a/pkg/handler/acr/acr.go
+++ b/pkg/handler/acr/acr.go
@@ -21,7 +21,7 @@ func (h *Handler) Validate(sess *session.Session) error {
 
 func NewHandler(cfg *config.Config) *Handler {
 	return &Handler{
-		Enabled:       len(cfg.OpenID.ACRValues) > 0 && cfg.AutoLogin,
+		Enabled:       len(cfg.OpenID.ACRValues) > 0,
 		ExpectedValue: cfg.OpenID.ACRValues,
 	}
 }
diff --git a/pkg/handler/autologin/autologin.go b/pkg/handler/autologin/autologin.go
index 983e6bd..734d421 100644
--- a/pkg/handler/autologin/autologin.go
+++ b/pkg/handler/autologin/autologin.go
@@ -21,8 +21,8 @@ type AutoLogin struct {
 	cache          sync.Map
 }
 
-func (a *AutoLogin) NeedsLogin(r *http.Request, isAuthenticated, isAcrValid bool) bool {
-	if (isAuthenticated && isAcrValid) || !a.Enabled || r.Method != http.MethodGet {
+func (a *AutoLogin) NeedsLogin(r *http.Request, isAuthenticated bool) bool {
+	if isAuthenticated || !a.Enabled || r.Method != http.MethodGet {
 		return false
 	}
 
diff --git a/pkg/handler/error.go b/pkg/handler/error.go
index 9ec71f4..a8375a8 100644
--- a/pkg/handler/error.go
+++ b/pkg/handler/error.go
@@ -69,7 +69,7 @@ func (s *Standalone) respondError(w http.ResponseWriter, r *http.Request, status
 	incrementRetryAttempt(w, r, s.GetCookieOptions(r))
 
 	attempts, ok := getRetryAttempts(r)
-	if !ok || ok && attempts < MaxAutoRetryAttempts {
+	if !ok || (ok && attempts < MaxAutoRetryAttempts) {
 		loginCookie, err := openid.GetLoginCookie(r, s.Crypter)
 		if err != nil {
 			loginCookie = nil
diff --git a/pkg/handler/reverseproxy.go b/pkg/handler/reverseproxy.go
index 96c8a3f..59d61f7 100644
--- a/pkg/handler/reverseproxy.go
+++ b/pkg/handler/reverseproxy.go
@@ -89,14 +89,13 @@ func (rp *ReverseProxy) Handler(src ReverseProxySource, w http.ResponseWriter, r
 		logger.Errorf("default: unauthenticated: unexpected error: %+v", err)
 	}
 
-	isAcrValid := true
 	err = src.GetAcrHandler().Validate(sess)
 	if err != nil {
-		isAcrValid = false
-		logger.Infof("default: acr: %+v; checking for autologin...", err)
+		isAuthenticated = false
+		logger.Infof("default: unauthenticated: acr: %+v; checking for autologin...", err)
 	}
 
-	if src.GetAutoLogin().NeedsLogin(r, isAuthenticated, isAcrValid) {
+	if src.GetAutoLogin().NeedsLogin(r, isAuthenticated) {
 		loginRedirect(src, w, r, "request matches autologin")
 		return
 	}