diff --git a/CHANGELOG.md b/CHANGELOG.md index 575ae44..b02fe4c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0. - Add e-mail confirmation before 2fa setup feature - Add config value TwoFactorEmailAuthRequired +### Fixed + +- Fix a bug in remember where a user would get half-authed even though they + were logged in depending on middleware ordering. + ### Deprecated - Deprecate the config field ConfirmMethod in favor of MailRouteMethod. See diff --git a/context.go b/context.go index e696f6a..02016ed 100644 --- a/context.go +++ b/context.go @@ -32,6 +32,8 @@ func (c contextKey) String() string { } // CurrentUserID retrieves the current user from the session. +// TODO(aarondl): This method never returns an error, one day we'll change +// the function signature. func (a *Authboss) CurrentUserID(r *http.Request) (string, error) { if pid := r.Context().Value(CTXKeyPID); pid != nil { return pid.(string), nil diff --git a/otp/twofactor/sms2fa/sms.go b/otp/twofactor/sms2fa/sms.go index 1d7a9ac..e429dae 100644 --- a/otp/twofactor/sms2fa/sms.go +++ b/otp/twofactor/sms2fa/sms.go @@ -8,6 +8,7 @@ import ( "crypto/subtle" "io" "net/http" + "path" "strconv" "strings" "time" @@ -105,7 +106,8 @@ func (s *SMS) Setup() error { } if s.Authboss.Config.Modules.TwoFactorEmailAuthRequired { - emailVerify, err := twofactor.SetupEmailVerify(s.Authboss, "sms", "/2fa/sms/setup") + setupPath := path.Join(s.Authboss.Paths.Mount, "/2fa/sms/setup") + emailVerify, err := twofactor.SetupEmailVerify(s.Authboss, "sms", setupPath) if err != nil { return err } diff --git a/otp/twofactor/totp2fa/totp.go b/otp/twofactor/totp2fa/totp.go index f4d7501..8d3f5c5 100644 --- a/otp/twofactor/totp2fa/totp.go +++ b/otp/twofactor/totp2fa/totp.go @@ -9,6 +9,7 @@ import ( "io" "net/http" "net/url" + "path" "github.com/pkg/errors" "github.com/pquerna/otp" @@ -74,7 +75,8 @@ func (t *TOTP) Setup() error { } if t.Authboss.Config.Modules.TwoFactorEmailAuthRequired { - emailVerify, err := twofactor.SetupEmailVerify(t.Authboss, "totp", "/2fa/totp/setup") + setupPath := path.Join(t.Authboss.Paths.Mount, "/2fa/totp/setup") + emailVerify, err := twofactor.SetupEmailVerify(t.Authboss, "totp", setupPath) if err != nil { return err } diff --git a/otp/twofactor/twofactor.go b/otp/twofactor/twofactor.go index 916e72a..3e1e8f9 100644 --- a/otp/twofactor/twofactor.go +++ b/otp/twofactor/twofactor.go @@ -25,6 +25,7 @@ const ( DataRecoveryCode = "recovery_code" DataRecoveryCodes = "recovery_codes" DataNumRecoveryCodes = "n_recovery_codes" + DataVerifyEmail = "email" DataVerifyURL = "url" ) diff --git a/otp/twofactor/twofactor_verify.go b/otp/twofactor/twofactor_verify.go index 9debc37..d0c8992 100644 --- a/otp/twofactor/twofactor_verify.go +++ b/otp/twofactor/twofactor_verify.go @@ -70,7 +70,10 @@ func (e EmailVerify) GetStart(w http.ResponseWriter, r *http.Request) error { user := cu.(User) - data := authboss.HTMLData{"email": user.GetEmail()} + data := authboss.HTMLData{ + DataVerifyEmail: user.GetEmail(), + DataVerifyURL: path.Join(e.Authboss.Paths.Mount, "2fa", e.TwofactorKind, "email/verify"), + } return e.Authboss.Core.Responder.Respond(w, r, http.StatusOK, PageVerify2FA, data) } diff --git a/remember/remember.go b/remember/remember.go index bad2326..bb00660 100644 --- a/remember/remember.go +++ b/remember/remember.go @@ -69,7 +69,8 @@ func (r *Remember) RememberAfterAuth(w http.ResponseWriter, req *http.Request, h func Middleware(ab *authboss.Authboss) func(http.Handler) http.Handler { return func(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if r.Context().Value(authboss.CTXKeyPID) == nil && r.Context().Value(authboss.CTXKeyUser) == nil { + // Safely can ignore error here + if id, _ := ab.CurrentUserID(r); len(id) == 0 { if err := Authenticate(ab, w, &r); err != nil { logger := ab.RequestLogger(r) logger.Errorf("failed to authenticate user via remember me: %+v", err)