Skip to content

Commit a8d40bc

Browse files
ntbosscherntbosscher
committed
fix race condition in httpauth where the incorrect handler could be called for some calls
1 parent 94022b2 commit a8d40bc

File tree

1 file changed

+17
-11
lines changed

1 file changed

+17
-11
lines changed

auth/httpauth/main.go

+17-11
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,11 @@ func (c Config) getAccessTokenCookieName() string {
106106
return strs.Coalesce(c.AccessTokenCookieName, "token")
107107
}
108108

109+
const defaultLoginEndpoint = "/api/auth/login"
110+
const defaultRefreshEndpoint = "/api/auth/refresh"
111+
const defaultLogoutEndpoint = "/api/auth/logout"
112+
const defaultRegisterEndpoint = "/api/auth/register"
113+
109114
func Setup(router *res.Router, config Config) *AuthRouter {
110115
loginPath := strs.Coalesce(config.LoginPath, defaultLoginEndpoint)
111116
router.Post(loginPath, loginHandler(&config))
@@ -134,11 +139,10 @@ func Setup(router *res.Router, config Config) *AuthRouter {
134139
oauth.Setup(router, config.OAuth, sessionSetter)
135140
}
136141

137-
server := middleware(config)
142+
server := newServer(config)
138143

139-
router.Use(func(h http.Handler) http.Handler {
140-
server.next = h
141-
return server
144+
router.Use(func(handler http.Handler) http.Handler {
145+
return cloneServer(server, handler)
142146
})
143147

144148
return &AuthRouter{
@@ -148,7 +152,14 @@ func Setup(router *res.Router, config Config) *AuthRouter {
148152
}
149153
}
150154

151-
func middleware(config Config) *server {
155+
func cloneServer(src *server, next http.Handler) *server {
156+
clone := &server{}
157+
*clone = *src
158+
clone.next = next
159+
return clone
160+
}
161+
162+
func newServer(config Config) *server {
152163

153164
if config.CredentialChecker == nil {
154165
log.Fatal("github.com/ntbosscher/gobase/auth/authhttp.Middleware(config): config requires CredentialChecker")
@@ -163,18 +174,13 @@ func middleware(config Config) *server {
163174
}
164175

165176
type server struct {
166-
next http.Handler
177+
next http.Handler
167178
perRequestFilter PerRequestFilter
168179
ignoreRoutesWithPrefixes []string
169180
ignoreRoutes []string
170181
authHandler func(request *res.Request) (res.Responder, context.Context)
171182
}
172183

173-
const defaultLoginEndpoint = "/api/auth/login"
174-
const defaultRefreshEndpoint = "/api/auth/refresh"
175-
const defaultLogoutEndpoint = "/api/auth/logout"
176-
const defaultRegisterEndpoint = "/api/auth/register"
177-
178184
func (s *server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
179185

180186
ignoredRoute := false

0 commit comments

Comments
 (0)