fix: return a 401 HTTP Response on auth fail instead of looping OAuth…

… forever
enum-gg · Jan 25, 2024 · 8886d2c · 8886d2c
1 parent 48ab07e
commit 8886d2c
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 12 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,3 @@
 /.idea/
 /Caddyfile
+vendor/
diff --git a/module_callback.go b/module_callback.go
@@ -157,17 +157,16 @@ func (d DiscordAuthPlugin) ServeHTTP(w http.ResponseWriter, r *http.Request, _ c
 		}
 	}
 
-	if !allowed {
-		// User failed realm checks
-		//http.Error(w, "You do not have access to this", http.StatusForbidden)
-		http.Redirect(w, r, token.RedirectURI, http.StatusFound)
+	// Re-validate user through OAuth2 flow every 16 hours when authorised
+	expiration := time.Now().Add(time.Hour * 16)
 
-		return nil
+	// Otherwise re-validate user every 3 minutes if authorised failed
+	// in-case of Discord role change, etc.
+	if !allowed {
+		expiration = time.Now().Add(time.Minute * 3)
 	}
-	// Re-validate user through OAuth2 flow every 16 hours
-	expiration := time.Now().Add(time.Hour * 16)
 
-	authedToken := NewAuthenticatedToken(*identity, realm.Ref, expiration)
+	authedToken := NewAuthenticatedToken(*identity, realm.Ref, expiration, allowed)
 	signedToken, err := d.tokenSigner(authedToken)
 	if err != nil {
 		// Unable to generate JWT

diff --git a/module_entrypoint.go b/module_entrypoint.go
@@ -89,7 +89,7 @@ func (e ProtectorPlugin) Authenticate(w http.ResponseWriter, r *http.Request) (c
 				"username": claims.Username,
 				"avatar":   claims.Avatar,
 			},
-		}, true, nil
+		}, claims.Authorised, nil
 	}
 
 	// 15 minutes to make it through Discord consent.

diff --git a/token.go b/token.go
@@ -21,8 +21,9 @@ type JWTManager struct {
 type AuthenticatedClaims struct {
 	Realm string `json:"realm,omitempty"`
 
-	Username string `json:"user,omitempty"`
-	Avatar   string `json:"avatar,omitempty"`
+	Username   string `json:"user,omitempty"`
+	Avatar     string `json:"avatar,omitempty"`
+	Authorised bool   `json:"authorised,omitempty"`
 	jwt.RegisteredClaims
 }
 
@@ -40,11 +41,12 @@ func (f FlowTokenParser) GetAudience() string {
 	return "flow"
 }
 
-func NewAuthenticatedToken(identity discord.User, realm string, exp time.Time) *jwt.Token {
+func NewAuthenticatedToken(identity discord.User, realm string, exp time.Time, authorised bool) *jwt.Token {
 	claims := AuthenticatedClaims{
 		realm,
 		identity.Username,
 		identity.Avatar,
+		authorised,
 		jwt.RegisteredClaims{
 			Audience:  []string{"auth"},
 			ExpiresAt: jwt.NewNumericDate(exp),