From 2bbbb5f7a5a5e0b4926f773b3b671aa83cdfddce Mon Sep 17 00:00:00 2001
From: Amir Raminfar <findamir@gmail.com>
Date: Sun, 11 Apr 2021 13:53:16 -0700
Subject: [PATCH] Fixes security error with invalid session

---
 web/auth.go   | 7 +++----
 web/routes.go | 2 +-
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/web/auth.go b/web/auth.go
index 4d8e4c6d..512876ce 100644
--- a/web/auth.go
+++ b/web/auth.go
@@ -27,8 +27,7 @@ func initializeAuth(h *handler) {
 func authorizationRequired(f http.HandlerFunc) http.Handler {
 	if secured {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			session, _ := store.Get(r, sessionName)
-			if session.IsNew {
+			if isAuthorized(r) {
 				http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
 				return
 			} else {
@@ -40,7 +39,7 @@ func authorizationRequired(f http.HandlerFunc) http.Handler {
 	}
 }
 
-func (h *handler) isAuthorized(r *http.Request) bool {
+func isAuthorized(r *http.Request) bool {
 	if !secured {
 		return true
 	}
@@ -59,7 +58,7 @@ func (h *handler) isAuthorized(r *http.Request) bool {
 }
 
 func (h *handler) isAuthorizationNeeded(r *http.Request) bool {
-	return secured && !h.isAuthorized(r)
+	return secured && !isAuthorized(r)
 }
 
 func (h *handler) validateCredentials(w http.ResponseWriter, r *http.Request) {
diff --git a/web/routes.go b/web/routes.go
index 21e32212..c7658e77 100644
--- a/web/routes.go
+++ b/web/routes.go
@@ -82,7 +82,7 @@ func (h *handler) index(w http.ResponseWriter, req *http.Request) {
 	if err == nil && req.URL.Path != "" && req.URL.Path != "/" {
 		fileServer.ServeHTTP(w, req)
 	} else {
-		if !h.isAuthorized(req) && req.URL.Path != "login" {
+		if !isAuthorized(req) && req.URL.Path != "login" {
 			http.Redirect(w, req, h.config.Base+"login", http.StatusTemporaryRedirect)
 			return
 		}