Merge #448

448: Do not authenticate the wobserver API r=notriddle a=notriddle Wobserver uses its own authentication key, so we can forward anything in and let it take care of it. Fixes https://forum.bors.tech/t/accessing-wobserver/201/8 Co-authored-by: Michael Howell <michael@notriddle.com>
bors-ng · Aug 17, 2018 · 585dc1c · 585dc1c
2 parents 24866f3 + af234b7
commit 585dc1c
Showing 1 changed file with 14 additions and 3 deletions.
diff --git a/lib/web/router.ex b/lib/web/router.ex
@@ -36,9 +36,7 @@ defmodule BorsNG.Router do
   end
 
   pipeline :wobserver do
-    plug :fetch_session
-    plug :get_current_user
-    plug :force_current_user_admin
+    plug :wobserver_auth
   end
 
   pipeline :webhook do
@@ -148,4 +146,17 @@ defmodule BorsNG.Router do
         |> halt
     end
   end
+
+  # If the target URL is in the wobserver API, do not mess with it.
+  # Otherwise, authenticate the current user.
+  defp wobserver_auth(conn, _) do
+    case conn.path_info do
+      ["api", _] -> conn
+      _ ->
+        conn
+        |> fetch_session([])
+        |> get_current_user([])
+        |> force_current_user_admin([])
+    end
+  end
 end