Skip to content

fix: improve authentication flow and session handling #45

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Aug 20, 2025
Merged

fix: improve authentication flow and session handling #45

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3882d5b
fix: improve authentication flow and session handling
hrntknr Aug 20, 2025
3b45904
Update pkg/auth/auth.go
hrntknr Aug 20, 2025
44ebb69
refactor: improve test organization and fix authorization flow handling
hrntknr Aug 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
127 changes: 75 additions & 52 deletions pkg/auth/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ var templateFS embed.FS
type AuthRouter struct {
passwordHash []string
providers []Provider
template *template.Template
loginTemplate *template.Template
unauthorizedTemplate *template.Template
}

Expand All @@ -36,7 +36,7 @@ func NewAuthRouter(passwordHash []string, providers ...Provider) (*AuthRouter, e
return &AuthRouter{
passwordHash: passwordHash,
providers: providers,
template: tmpl,
loginTemplate: tmpl,
unauthorizedTemplate: unauthorizedTmpl,
}, nil
}
Expand Down Expand Up @@ -82,11 +82,28 @@ func (a *AuthRouter) SetupRoutes(router gin.IRouter) {
c.Error(err)
return
}
ok, err := provider.Authorization(userID)
if err != nil {
c.Error(err)
return
}
if !ok {
a.renderUnauthorized(c, userID, provider.Name())
return
}
session.Set(SessionKeyProvider, provider.Name())
session.Set(SessionKeyUserID, userID)
session.Save()
redirectURL := session.Get(SessionKeyRedirectURL)
c.Redirect(http.StatusFound, redirectURL.(string))
if redirectURL != nil {
session.Delete(SessionKeyRedirectURL)
}
session.Save()

if redirectURL == nil {
c.Redirect(http.StatusFound, "/")
} else {
c.Redirect(http.StatusFound, redirectURL.(string))
}
Copy link

Copilot AI Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The redirect URL is deleted from the session before checking if it's nil, but the check happens after the session is saved. This could cause issues if the session save fails. Consider moving the session.Save() call after the redirect logic.

Copilot uses AI. Check for mistakes.
})

router.GET(provider.AuthURL(), func(c *gin.Context) {
Expand Down Expand Up @@ -118,29 +135,12 @@ func (a *AuthRouter) getProvider(name string) Provider {
return nil
}

type templateData struct {
Providers []Provider
HasPassword bool
PasswordError string
}

func (a *AuthRouter) handleLogin(c *gin.Context) {
if c.Request.Method == "POST" {
a.handleLoginPost(c)
return
}

data := templateData{
Providers: a.providers,
HasPassword: len(a.passwordHash) > 0,
PasswordError: "",
}

c.Header("Content-Type", "text/html; charset=utf-8")
if err := a.template.Execute(c.Writer, data); err != nil {
c.AbortWithError(http.StatusInternalServerError, err)
return
}
a.renderLogin(c, "")
}

func (a *AuthRouter) handleLoginPost(c *gin.Context) {
Expand All @@ -165,39 +165,32 @@ func (a *AuthRouter) handleLoginPost(c *gin.Context) {
}

if errorMessage != "" {
data := templateData{
Providers: a.providers,
HasPassword: len(a.passwordHash) > 0,
PasswordError: errorMessage,
}

c.Header("Content-Type", "text/html; charset=utf-8")
c.Status(http.StatusBadRequest)
if err := a.template.Execute(c.Writer, data); err != nil {
c.AbortWithError(http.StatusInternalServerError, err)
return
}
a.renderLogin(c, errorMessage)
return
}

session := sessions.Default(c)
session.Set(SessionKeyProvider, PasswordProvider)
session.Set(SessionKeyUserID, PasswordUserID)
Copy link

Copilot AI Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The redirect URL handling logic is duplicated between the OAuth callback handler and password login handler. Consider extracting this into a shared helper method to reduce code duplication.

Suggested change
session.Set(SessionKeyUserID, PasswordUserID)
session.Set(SessionKeyUserID, PasswordUserID)
a.handleRedirectAfterLogin(c, session)
}
// handleRedirectAfterLogin handles redirecting the user after successful login,
// using the redirect URL stored in the session if present.
func (a *AuthRouter) handleRedirectAfterLogin(c *gin.Context, session sessions.Session) {

Copilot uses AI. Check for mistakes.
redirectURL := session.Get(SessionKeyRedirectURL)
if redirectURL != nil {
session.Delete(SessionKeyRedirectURL)
}
session.Save()

redirectURL := session.Get(SessionKeyRedirectURL)
if redirectURL == nil {
c.Redirect(http.StatusFound, "/")
return
} else {
c.Redirect(http.StatusFound, redirectURL.(string))
Copy link

Copilot AI Aug 20, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same issue as in the OAuth callback: the redirect URL is deleted and session saved before the redirect logic. If session.Save() fails, the redirect URL would be lost but the redirect might not happen correctly.

Copilot uses AI. Check for mistakes.
}
c.Redirect(http.StatusFound, redirectURL.(string))
}

func (a *AuthRouter) handleLogout(c *gin.Context) {
session := sessions.Default(c)
session.Clear()
session.Delete(SessionKeyProvider)
session.Delete(SessionKeyUserID)
session.Save()
c.String(http.StatusOK, "Logged out")
c.Redirect(http.StatusFound, LoginEndpoint)
}

func (a *AuthRouter) RequireAuth() gin.HandlerFunc {
Expand Down Expand Up @@ -229,22 +222,52 @@ func (a *AuthRouter) RequireAuth() gin.HandlerFunc {
return
}
if !ok {
data := struct {
UserID string
Provider string
}{
UserID: userID.(string),
Provider: providerName.(string),
}
c.Header("Content-Type", "text/html; charset=utf-8")
c.Status(http.StatusForbidden)
if err := a.unauthorizedTemplate.Execute(c.Writer, data); err != nil {
c.AbortWithError(http.StatusInternalServerError, err)
return
}
a.renderUnauthorized(c, userID.(string), providerName.(string))
c.Abort()
return
}
c.Next()
}
}

type loginTemplateData struct {
Providers []Provider
HasPassword bool
PasswordError string
}

type unauthorizedTemplateData struct {
UserID string
Provider string
}

func (a *AuthRouter) renderLogin(c *gin.Context, passwordError string) {
data := loginTemplateData{
Providers: a.providers,
HasPassword: len(a.passwordHash) > 0,
PasswordError: passwordError,
}
c.Header("Content-Type", "text/html; charset=utf-8")
if passwordError != "" {
c.Status(http.StatusBadRequest)
} else {
c.Status(http.StatusOK)
}
if err := a.loginTemplate.Execute(c.Writer, data); err != nil {
c.AbortWithError(http.StatusInternalServerError, err)
return
}
}

func (a *AuthRouter) renderUnauthorized(c *gin.Context, userID, providerName string) {
data := unauthorizedTemplateData{
UserID: userID,
Provider: providerName,
}
c.Header("Content-Type", "text/html; charset=utf-8")
c.Status(http.StatusForbidden)
if err := a.unauthorizedTemplate.Execute(c.Writer, data); err != nil {
c.AbortWithError(http.StatusInternalServerError, err)
return
}
}
34 changes: 15 additions & 19 deletions pkg/auth/auth_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,10 +79,15 @@ func TestAuthenticationFlow(t *testing.T) {
defer ctrl.Finish()

// Create mock provider
mockToken := &oauth2.Token{AccessToken: "test-token"}
mockProvider := NewMockProvider(ctrl)
mockProvider.EXPECT().Name().Return("test").AnyTimes()
mockProvider.EXPECT().AuthURL().Return("/.auth/test").AnyTimes()
mockProvider.EXPECT().RedirectURL().Return("/.auth/test/callback").AnyTimes()
mockProvider.EXPECT().AuthCodeURL(gomock.Any(), gomock.Any()).Return("https://example.com/oauth", nil)
mockProvider.EXPECT().Exchange(gomock.Any(), gomock.Any()).Return(mockToken, nil)
mockProvider.EXPECT().GetUserID(gomock.Any(), mockToken).Return("test-user", nil)
mockProvider.EXPECT().Authorization("test-user").Return(true, nil).AnyTimes()

// Create AuthRouter
authRouter, err := NewAuthRouter(nil, mockProvider)
Expand All @@ -103,8 +108,6 @@ func TestAuthenticationFlow(t *testing.T) {
require.Equal(t, http.StatusFound, resp.StatusCode)

// Step 2: Start authentication
mockProvider.EXPECT().AuthCodeURL(gomock.Any(), gomock.Any()).Return("https://example.com/oauth", nil)

resp, err = client.Get(server.URL + "/.auth/test")
require.NoError(t, err)
resp.Body.Close()
Expand All @@ -115,23 +118,15 @@ func TestAuthenticationFlow(t *testing.T) {
require.Equal(t, "https://example.com/oauth", location)

// Step 3: Handle callback
mockToken := &oauth2.Token{AccessToken: "test-token"}
mockProvider.EXPECT().Exchange(gomock.Any(), gomock.Any()).Return(mockToken, nil)
mockProvider.EXPECT().GetUserID(gomock.Any(), mockToken).Return("test-user", nil)

resp, err = client.Get(server.URL + "/.auth/test/callback")
require.NoError(t, err)
resp.Body.Close()

require.Equal(t, http.StatusFound, resp.StatusCode)

// Verify redirect to root
location = resp.Header.Get("Location")
require.Equal(t, "/", location)

// Step 4: Access after authentication
mockProvider.EXPECT().Authorization("test-user").Return(true, nil)

resp, err = client.Get(server.URL + "/")
if err != nil {
t.Fatalf("Request failed: %v", err)
Expand All @@ -146,10 +141,15 @@ func TestAuthenticationFlow(t *testing.T) {
defer ctrl.Finish()

// Create mock provider
mockToken := &oauth2.Token{AccessToken: "test-token"}
mockProvider := NewMockProvider(ctrl)
mockProvider.EXPECT().Name().Return("test").AnyTimes()
mockProvider.EXPECT().AuthURL().Return("/.auth/test").AnyTimes()
mockProvider.EXPECT().RedirectURL().Return("/.auth/test/callback").AnyTimes()
mockProvider.EXPECT().AuthCodeURL(gomock.Any(), gomock.Any()).Return("https://example.com/oauth", nil)
mockProvider.EXPECT().Exchange(gomock.Any(), gomock.Any()).Return(mockToken, nil)
mockProvider.EXPECT().GetUserID(gomock.Any(), mockToken).Return("unauthorized-user", nil)
mockProvider.EXPECT().Authorization("unauthorized-user").Return(false, nil).AnyTimes()

// Create AuthRouter
authRouter, err := NewAuthRouter(nil, mockProvider)
Expand All @@ -167,30 +167,26 @@ func TestAuthenticationFlow(t *testing.T) {
resp.Body.Close()

// Step 2: Start authentication
mockProvider.EXPECT().AuthCodeURL(gomock.Any(), gomock.Any()).Return("https://example.com/oauth", nil)

resp, err = client.Get(server.URL + "/.auth/test")
require.NoError(t, err)
resp.Body.Close()

// Step 3: Complete authentication
mockToken := &oauth2.Token{AccessToken: "test-token"}
mockProvider.EXPECT().Exchange(gomock.Any(), gomock.Any()).Return(mockToken, nil)
mockProvider.EXPECT().GetUserID(gomock.Any(), mockToken).Return("unauthorized-user", nil)

resp, err = client.Get(server.URL + "/.auth/test/callback")
require.NoError(t, err)
resp.Body.Close()

// Step 4: Test access when authorization fails
mockProvider.EXPECT().Authorization("unauthorized-user").Return(false, nil)
require.Equal(t, http.StatusForbidden, resp.StatusCode)

// Step 4: Test access when authorization fails
resp, err = client.Get(server.URL + "/")
if err != nil {
t.Fatalf("Request failed: %v", err)
}
defer resp.Body.Close()

require.Equal(t, http.StatusForbidden, resp.StatusCode)
require.Equal(t, http.StatusFound, resp.StatusCode)
location := resp.Header.Get("Location")
require.Equal(t, "/.auth/login", location)
})
}