fix race condition in httpauth where the incorrect handler could be c…

…alled for some calls
ntbosscher · Nov 5, 2020 · a8d40bc · a8d40bc
1 parent 94022b2
commit a8d40bc
Showing 1 changed file with 17 additions and 11 deletions.
diff --git a/auth/httpauth/main.go b/auth/httpauth/main.go
@@ -106,6 +106,11 @@ func (c Config) getAccessTokenCookieName() string {
 	return strs.Coalesce(c.AccessTokenCookieName, "token")
 }
 
+const defaultLoginEndpoint = "/api/auth/#"
+const defaultRefreshEndpoint = "/api/auth/refresh"
+const defaultLogoutEndpoint = "/api/auth/logout"
+const defaultRegisterEndpoint = "/api/auth/register"
+
 func Setup(router *res.Router, config Config) *AuthRouter {
 	loginPath := strs.Coalesce(config.LoginPath, defaultLoginEndpoint)
 	router.Post(loginPath, loginHandler(&config))
@@ -134,11 +139,10 @@ func Setup(router *res.Router, config Config) *AuthRouter {
 		oauth.Setup(router, config.OAuth, sessionSetter)
 	}
 
-	server := middleware(config)
+	server := newServer(config)
 
-	router.Use(func(h http.Handler) http.Handler {
-		server.next = h
-		return server
+	router.Use(func(handler http.Handler) http.Handler {
+		return cloneServer(server, handler)
 	})
 
 	return &AuthRouter{
@@ -148,7 +152,14 @@ func Setup(router *res.Router, config Config) *AuthRouter {
 	}
 }
 
-func middleware(config Config) *server {
+func cloneServer(src *server, next http.Handler) *server {
+	clone := &server{}
+	*clone = *src
+	clone.next = next
+	return clone
+}
+
+func newServer(config Config) *server {
 
 	if config.CredentialChecker == nil {
 		log.Fatal("github.com/ntbosscher/gobase/auth/authhttp.Middleware(config): config requires CredentialChecker")
@@ -163,18 +174,13 @@ func middleware(config Config) *server {
 }
 
 type server struct {
-	next                     http.Handler
+	next http.Handler
 	perRequestFilter         PerRequestFilter
 	ignoreRoutesWithPrefixes []string
 	ignoreRoutes             []string
 	authHandler              func(request *res.Request) (res.Responder, context.Context)
 }
 
-const defaultLoginEndpoint = "/api/auth/#"
-const defaultRefreshEndpoint = "/api/auth/refresh"
-const defaultLogoutEndpoint = "/api/auth/logout"
-const defaultRegisterEndpoint = "/api/auth/register"
-
 func (s *server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	ignoredRoute := false