Fixes security error with invalid session

2021-04-11 13:53:16 -07:00
parent c89e70d697
commit 2bbbb5f7a5
2 changed files with 4 additions and 5 deletions
--- a/web/auth.go
+++ b/web/auth.go
@@ -27,8 +27,7 @@ func initializeAuth(h *handler) {
 func authorizationRequired(f http.HandlerFunc) http.Handler {
 	if secured {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			session, _ := store.Get(r, sessionName)
+			if isAuthorized(r) {
 			if session.IsNew {
 				http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
 				return
 			} else {
@@ -40,7 +39,7 @@ func authorizationRequired(f http.HandlerFunc) http.Handler {
 	}
 }
-func (h *handler) isAuthorized(r *http.Request) bool {
+func isAuthorized(r *http.Request) bool {
 	if !secured {
 		return true
 	}
@@ -59,7 +58,7 @@ func (h *handler) isAuthorized(r *http.Request) bool {
 }
 func (h *handler) isAuthorizationNeeded(r *http.Request) bool {
-	return secured && !h.isAuthorized(r)
+	return secured && !isAuthorized(r)
 }
 func (h *handler) validateCredentials(w http.ResponseWriter, r *http.Request) {
--- a/web/routes.go
+++ b/web/routes.go
@@ -82,7 +82,7 @@ func (h *handler) index(w http.ResponseWriter, req *http.Request) {
 	if err == nil && req.URL.Path != "" && req.URL.Path != "/" {
 		fileServer.ServeHTTP(w, req)
 	} else {
-		if !h.isAuthorized(req) && req.URL.Path != "login" {
+		if !isAuthorized(req) && req.URL.Path != "login" {
 			http.Redirect(w, req, h.config.Base+"login", http.StatusTemporaryRedirect)
 			return
 		}