Fix couple bugs with remember and 2fa

- Fix bug where setup paths were not mountpathed so twofactor_verify
  would redirect to a 404.
- Fix bug in remember where a user would be remembered even if logged in
  depending on the middleware order (if something had previously called
  LoadCurrentUser/LoadCurrentUserID it was fine, if not, the user was
  half-authed even if he was cleared of half-auth previously).

CHANGELOG.md

@@ -10,6 +10,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Add e-mail confirmation before 2fa setup feature
 - Add config value TwoFactorEmailAuthRequired
 
+### Fixed
+
+- Fix a bug in remember where a user would get half-authed even though they
+  were logged in depending on middleware ordering.
+
 ### Deprecated
 
 - Deprecate the config field ConfirmMethod in favor of MailRouteMethod. See

context.go

@@ -32,6 +32,8 @@ func (c contextKey) String() string {
 }
 
 // CurrentUserID retrieves the current user from the session.
+// TODO(aarondl): This method never returns an error, one day we'll change
+// the function signature.
 func (a *Authboss) CurrentUserID(r *http.Request) (string, error) {
 	if pid := r.Context().Value(CTXKeyPID); pid != nil {
 		return pid.(string), nil

otp/twofactor/sms2fa/sms.go

@@ -8,6 +8,7 @@ import (
 	"crypto/subtle"
 	"io"
 	"net/http"
+	"path"
 	"strconv"
 	"strings"
 	"time"
@@ -105,7 +106,8 @@ func (s *SMS) Setup() error {
 	}
 
 	if s.Authboss.Config.Modules.TwoFactorEmailAuthRequired {
-		emailVerify, err := twofactor.SetupEmailVerify(s.Authboss, "sms", "/2fa/sms/setup")
+		setupPath := path.Join(s.Authboss.Paths.Mount, "/2fa/sms/setup")
+		emailVerify, err := twofactor.SetupEmailVerify(s.Authboss, "sms", setupPath)
 		if err != nil {
 			return err
 		}

otp/twofactor/totp2fa/totp.go

@@ -9,6 +9,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"path"
 
 	"github.com/pkg/errors"
 	"github.com/pquerna/otp"
@@ -74,7 +75,8 @@ func (t *TOTP) Setup() error {
 	}
 
 	if t.Authboss.Config.Modules.TwoFactorEmailAuthRequired {
-		emailVerify, err := twofactor.SetupEmailVerify(t.Authboss, "totp", "/2fa/totp/setup")
+		setupPath := path.Join(t.Authboss.Paths.Mount, "/2fa/totp/setup")
+		emailVerify, err := twofactor.SetupEmailVerify(t.Authboss, "totp", setupPath)
 		if err != nil {
 			return err
 		}

otp/twofactor/twofactor.go

@@ -25,6 +25,7 @@ const (
 	DataRecoveryCode     = "recovery_code"
 	DataRecoveryCodes    = "recovery_codes"
 	DataNumRecoveryCodes = "n_recovery_codes"
+	DataVerifyEmail      = "email"
 	DataVerifyURL        = "url"
 )
 

otp/twofactor/twofactor_verify.go

@@ -70,7 +70,10 @@ func (e EmailVerify) GetStart(w http.ResponseWriter, r *http.Request) error {
 
 	user := cu.(User)
 
-	data := authboss.HTMLData{"email": user.GetEmail()}
+	data := authboss.HTMLData{
+		DataVerifyEmail: user.GetEmail(),
+		DataVerifyURL:   path.Join(e.Authboss.Paths.Mount, "2fa", e.TwofactorKind, "email/verify"),
+	}
 	return e.Authboss.Core.Responder.Respond(w, r, http.StatusOK, PageVerify2FA, data)
 }
 

remember/remember.go

@@ -69,7 +69,8 @@ func (r *Remember) RememberAfterAuth(w http.ResponseWriter, req *http.Request, h
 func Middleware(ab *authboss.Authboss) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if r.Context().Value(authboss.CTXKeyPID) == nil && r.Context().Value(authboss.CTXKeyUser) == nil {
+			// Safely can ignore error here
+			if id, _ := ab.CurrentUserID(r); len(id) == 0 {
 				if err := Authenticate(ab, w, &r); err != nil {
 					logger := ab.RequestLogger(r)
 					logger.Errorf("failed to authenticate user via remember me: %+v", err)