From a8d40bce9c429d324122d18c446924dab809e812 Mon Sep 17 00:00:00 2001
From: Nathan Bosscher <nate.bosscher@gmail.com>
Date: Thu, 5 Nov 2020 16:49:43 -0500
Subject: [PATCH] fix race condition in httpauth where the incorrect handler
 could be called for some calls

---
 auth/httpauth/main.go | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/auth/httpauth/main.go b/auth/httpauth/main.go
index 5f19a70..8e0d272 100644
--- a/auth/httpauth/main.go
+++ b/auth/httpauth/main.go
@@ -106,6 +106,11 @@ func (c Config) getAccessTokenCookieName() string {
 	return strs.Coalesce(c.AccessTokenCookieName, "token")
 }
 
+const defaultLoginEndpoint = "/api/auth/login"
+const defaultRefreshEndpoint = "/api/auth/refresh"
+const defaultLogoutEndpoint = "/api/auth/logout"
+const defaultRegisterEndpoint = "/api/auth/register"
+
 func Setup(router *res.Router, config Config) *AuthRouter {
 	loginPath := strs.Coalesce(config.LoginPath, defaultLoginEndpoint)
 	router.Post(loginPath, loginHandler(&config))
@@ -134,11 +139,10 @@ func Setup(router *res.Router, config Config) *AuthRouter {
 		oauth.Setup(router, config.OAuth, sessionSetter)
 	}
 
-	server := middleware(config)
+	server := newServer(config)
 
-	router.Use(func(h http.Handler) http.Handler {
-		server.next = h
-		return server
+	router.Use(func(handler http.Handler) http.Handler {
+		return cloneServer(server, handler)
 	})
 
 	return &AuthRouter{
@@ -148,7 +152,14 @@ func Setup(router *res.Router, config Config) *AuthRouter {
 	}
 }
 
-func middleware(config Config) *server {
+func cloneServer(src *server, next http.Handler) *server {
+	clone := &server{}
+	*clone = *src
+	clone.next = next
+	return clone
+}
+
+func newServer(config Config) *server {
 
 	if config.CredentialChecker == nil {
 		log.Fatal("github.com/ntbosscher/gobase/auth/authhttp.Middleware(config): config requires CredentialChecker")
@@ -163,18 +174,13 @@ func middleware(config Config) *server {
 }
 
 type server struct {
-	next                     http.Handler
+	next http.Handler
 	perRequestFilter         PerRequestFilter
 	ignoreRoutesWithPrefixes []string
 	ignoreRoutes             []string
 	authHandler              func(request *res.Request) (res.Responder, context.Context)
 }
 
-const defaultLoginEndpoint = "/api/auth/login"
-const defaultRefreshEndpoint = "/api/auth/refresh"
-const defaultLogoutEndpoint = "/api/auth/logout"
-const defaultRegisterEndpoint = "/api/auth/register"
-
 func (s *server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 
 	ignoredRoute := false