search

volatiletech / authboss

The boss of http auth.
MIT License
3.81k stars 207 forks source link

Why is the current user being set in the context before the password is validated? #302

Closed ibraheemdev closed 4 years ago

ibraheemdev commented 4 years ago

Why is the current user being set in the context before the password is validated? In auth.go

authUser := authboss.MustBeAuthable(pidUser)
password := authUser.GetPassword()

// Sets the current user first?
r = r.WithContext(context.WithValue(r.Context(), authboss.CTXKeyUser, pidUser))

// Then validates the password???
var handled bool
err = bcrypt.CompareHashAndPassword(....

And in context.go, the CurrentUser method returns the same context value as the current user:

func (a *Authboss) CurrentUser(r *http.Request) (User, error) {
  if user := r.Context().Value(CTXKeyUser); user != nil {
    return user.(User), nil
  }
...

Is there a gaping security hole where the current user being set even if the login fails? What am I missing here?

ibraheemdev commented 4 years ago

I realized that context is only stored during the request lifecycle, and is freed after the response is sent back. The uset context is stored for use by other middleware.