diff options
author | Jaime Martinez <jmartinez@gitlab.com> | 2020-06-09 09:26:44 +0300 |
---|---|---|
committer | Jaime Martinez <jmartinez@gitlab.com> | 2020-07-06 02:27:25 +0300 |
commit | 4c7d7872868361d79796e87cca2d4cf5d0e95824 (patch) | |
tree | d23736d4b9dd741e69ccd59b1ffad232995a1656 /app.go | |
parent | 2a23f2fb9bca74302dcdc40def50c748da4a5e06 (diff) |
Address MR feedback
use correct reference
Diffstat (limited to 'app.go')
-rw-r--r-- | app.go | 28 |
1 files changed, 14 insertions, 14 deletions
@@ -94,21 +94,18 @@ func (a *theApp) domain(host string) (*domain.Domain, error) { return a.domains.GetDomain(host) } -func (a *theApp) checkAuthenticationIfNotExists(domain *domain.Domain, w http.ResponseWriter, r *http.Request) bool { - if !domain.HasLookupPath(r) { - // Only if auth is supported - if a.Auth.IsAuthSupported() { - // To avoid user knowing if pages exist, we will force user to login and authorize pages - if a.Auth.CheckAuthenticationWithoutProject(w, r, domain) { - return true - } - } - - domain.ServeNotFoundAuthFailed(w, r) +// checkAuthAndServeNotFound performs the auth process if domain can't be found +// the main purpose of this process is to avoid leaking the project existence/not-existence +// by behaving the same if user has no access to the project or if project simply does not exists +func (a *theApp) checkAuthAndServeNotFound(domain *domain.Domain, w http.ResponseWriter, r *http.Request) bool { + // To avoid user knowing if pages exist, we will force user to login and authorize pages + if a.Auth.CheckAuthenticationWithoutProject(w, r, domain) { return true } - return false + // auth succeeded try to serve the correct 404 page + domain.ServeNotFoundAuthFailed(w, r) + return true } func (a *theApp) tryAuxiliaryHandlers(w http.ResponseWriter, r *http.Request, https bool, host string, domain *domain.Domain) bool { @@ -127,8 +124,11 @@ func (a *theApp) tryAuxiliaryHandlers(w http.ResponseWriter, r *http.Request, ht return true } - if a.checkAuthenticationIfNotExists(domain, w, r) { - return true + if !domain.HasLookupPath(r) { + // redirect to auth and serve not found + if a.checkAuthAndServeNotFound(domain, w, r) { + return true + } } if !https && domain.IsHTTPSOnly(r) { |