auth cleanup

2026-01-28 02:18:43 +00:00 · 2019-12-23 09:29:48 +02:00
parent d346e89493
commit ca6c3e5046
2 changed files with 51 additions and 15 deletions
--- a/src/consent_api.go
+++ b/src/consent_api.go
@@ -26,11 +26,6 @@ func (e mainEnv) consentAccept(w http.ResponseWriter, r *http.Request, ps httpro
 		return
 	}

-	defer func() {
-		w.Header().Set("Content-Type", "application/json; charset=utf-8")
-		w.WriteHeader(200)
-		w.Write([]byte(`{"status":"ok"}`))
-	}()
 	userTOKEN := ""
 	if mode == "token" {
 		if enforceUUID(w, address, event) == false {
@@ -38,18 +33,34 @@ func (e mainEnv) consentAccept(w http.ResponseWriter, r *http.Request, ps httpro
 		}
 		userBson, _ := e.db.lookupUserRecord(address)
 		if userBson == nil {
-			// if token not found, exit from here
+			returnError(w, r, "internal error", 405, nil, event)
+			return
+		}
+		if e.enforceAuth(w, r, event) == false {
 			return
 		}
 		userTOKEN = address
 	} else {
-		// TODO: decode url in code!
 		userBson, _ := e.db.lookupUserRecordByIndex(mode, address, e.conf)
 		if userBson != nil {
 			userTOKEN = userBson["token"].(string)
 			event.Record = userTOKEN
+			if e.enforceAuth(w, r, event) == false {
+				return
+			}
+		} else {
+			if mode == "login" {
+				returnError(w, r, "internal error", 405, nil, event)
+				return
+			}
+			// else user not found - we allow to save consent for unlinked users!
 		}
 	}
+	defer func() {
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+		w.WriteHeader(200)
+		w.Write([]byte(`{"status":"ok"}`))
+	}()

 	records, err := getJSONPostData(r)
 	if err != nil {
@@ -115,7 +126,10 @@ func (e mainEnv) consentCancel(w http.ResponseWriter, r *http.Request, ps httpro
 		}
 		userBson, _ := e.db.lookupUserRecord(address)
 		if userBson == nil {
-			// if token not found, exit from here
+			returnError(w, r, "internal error", 405, nil, event)
+			return
+		}
+		if e.enforceAuth(w, r, event) == false {
 			return
 		}
 		userTOKEN = address
@@ -125,6 +139,15 @@ func (e mainEnv) consentCancel(w http.ResponseWriter, r *http.Request, ps httpro
 		if userBson != nil {
 			userTOKEN = userBson["token"].(string)
 			event.Record = userTOKEN
+			if e.enforceAuth(w, r, event) == false {
+				return
+			}
+		} else {
+			if mode == "login" {
+				returnError(w, r, "internal error", 405, nil, event)
+				return
+			}
+			// else user not found - we allow to save consent for unlinked users!
 		}
 	}
 	// make sure that user is logged in here, unless he wants to cancel emails
@@ -161,7 +184,10 @@ func (e mainEnv) consentAllUserRecords(w http.ResponseWriter, r *http.Request, p
 		}
 		userBson, _ := e.db.lookupUserRecord(address)
 		if userBson == nil {
-			// if token not found, exit from here
+			returnError(w, r, "internal error", 405, nil, event)
+			return
+		}
+		if e.enforceAuth(w, r, event) == false {
 			return
 		}
 		userTOKEN = address
@@ -171,6 +197,16 @@ func (e mainEnv) consentAllUserRecords(w http.ResponseWriter, r *http.Request, p
 		if userBson != nil {
 			userTOKEN = userBson["token"].(string)
 			event.Record = userTOKEN
+			if e.enforceAuth(w, r, event) == false {
+				return
+			}
+		} else {
+			if mode == "login" {
+				returnError(w, r, "internal error", 405, nil, event)
+				return
+			}
+			// else user not found - we allow to save consent for unlinked users!
+
 		}
 	}
 	// make sure that user is logged in here, unless he wants to cancel emails
@@ -216,7 +252,7 @@ func (e mainEnv) consentUserRecord(w http.ResponseWriter, r *http.Request, ps ht
 		}
 		userBson, _ := e.db.lookupUserRecord(address)
 		if userBson == nil {
-			// if token not found, exit from here
+			returnError(w, r, "internal error", 405, nil, event)
 			return
 		}
 		userTOKEN = address
--- a/src/sessions_api.go
+++ b/src/sessions_api.go
@@ -21,9 +21,6 @@ func (e mainEnv) newSession(w http.ResponseWriter, r *http.Request, ps httproute
 		return
 	}

-	if e.enforceAuth(w, r, event) == false {
-		return
-	}
 	userTOKEN := ""
 	if mode == "token" {
 		if enforceUUID(w, address, event) == false {
@@ -31,7 +28,7 @@ func (e mainEnv) newSession(w http.ResponseWriter, r *http.Request, ps httproute
 		}
 		userBson, _ := e.db.lookupUserRecord(address)
 		if userBson == nil {
-			// if token not found, exit from here
+			returnError(w, r, "internal error", 405, nil, event)
 			return
 		}
 		userTOKEN = address
@@ -45,6 +42,9 @@ func (e mainEnv) newSession(w http.ResponseWriter, r *http.Request, ps httproute
 			return
 		}
 	}
+	if e.enforceAuth(w, r, event) == false {
+		return
+	}
 	expiration := e.conf.Policy.Max_session_retention_period
 	records, err := getJSONPostData(r)
 	if err != nil {
@@ -103,7 +103,7 @@ func (e mainEnv) getUserSessions(w http.ResponseWriter, r *http.Request, ps http
 		}
 		userBson, _ := e.db.lookupUserRecord(address)
 		if userBson == nil {
-			// if token not found, exit from here
+			returnError(w, r, "internal error", 405, nil, event)
 			return
 		}
 		userTOKEN = address