feat(loginstatus): ensure that cookie is set in default route

2026-05-09 01:47:03 +00:00 · 2022-02-01 14:31:28 +01:00
parent fcba6815b9
commit c3da899190
3 changed files with 39 additions and 2 deletions
--- a/pkg/loginstatus/loginstatus.go
+++ b/pkg/loginstatus/loginstatus.go
@@ -3,6 +3,7 @@ package loginstatus
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"io/ioutil"
 	"net/http"
@@ -19,6 +20,7 @@ const (
 type Client interface {
 	ExchangeToken(ctx context.Context, accessToken string) (*TokenResponse, error)
 	SetCookie(w http.ResponseWriter, token *TokenResponse, opts cookie.Options)
+	HasCookie(r *http.Request) bool
 	ClearCookie(w http.ResponseWriter, opts cookie.Options)
 }

@@ -75,6 +77,14 @@ func (c client) SetCookie(w http.ResponseWriter, token *TokenResponse, opts cook
 	cookie.Set(w, newCookie)
 }

+func (c client) HasCookie(r *http.Request) bool {
+	_, err := r.Cookie(c.config.CookieName)
+	if errors.Is(err, http.ErrNoCookie) {
+		return false
+	}
+	return true
+}
+
 func (c client) ClearCookie(w http.ResponseWriter, opts cookie.Options) {
 	cookieName := c.config.CookieName
 	opts = c.cookieOptions(opts)
--- a/pkg/loginstatus/loginstatus_test.go
+++ b/pkg/loginstatus/loginstatus_test.go
@@ -115,6 +115,23 @@ func TestClient_ClearCookie(t *testing.T) {
 	assert.Equal(t, "/", result.Path)
 }

+func TestClient_HasCookie(t *testing.T) {
+	cfg := newCfg("https://some-server")
+	opts := cookie.DefaultOptions()
+
+	c := cookie.Make(cfg.CookieName, "some-value", opts)
+	r := httptest.NewRequest(http.MethodGet, "/", nil)
+	r.AddCookie(c.Cookie)
+
+	client := loginstatus.NewClient(cfg, http.DefaultClient)
+	actual := client.HasCookie(r)
+	assert.True(t, actual)
+
+	r = httptest.NewRequest(http.MethodGet, "/", nil)
+	actual = client.HasCookie(r)
+	assert.False(t, actual)
+}
+
 func newCfg(serverURL string) config.Loginstatus {
 	return config.Loginstatus{
 		Enabled:           true,
--- a/pkg/router/handler_default.go
+++ b/pkg/router/handler_default.go
@@ -12,10 +12,20 @@ func (h *Handler) Default(w http.ResponseWriter, r *http.Request) {
 	isAuthenticated := false

 	sessionData, err := h.getSessionFromCookie(w, r)
-	if err == nil && sessionData != nil && len(sessionData.AccessToken) > 0 {
+
+	hasSessionData := err == nil && sessionData != nil
+	hasAccessToken := hasSessionData && len(sessionData.AccessToken) > 0
+	if hasAccessToken {
 		// add authentication if session cookie and token checks out
 		isAuthenticated = true
-	} else if h.Config.AutoLogin {
+
+		// force new authentication if loginstatus is enabled and cookie isn't set
+		if h.Config.Features.Loginstatus.Enabled && !h.Loginstatus.HasCookie(r) {
+			isAuthenticated = false
+		}
+	}
+
+	if !isAuthenticated && h.Config.AutoLogin {
 		r.Header.Add("Referer", r.URL.String())
 		h.Login(w, r)
 		return