authn: fix base path extraction for profile ui

greenpau · Mar 26, 2024 · dd6967e · dd6967e
1 parent 92f0dbe
commit dd6967e
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 5 deletions.
diff --git a/pkg/authn/handle_http_apps.go b/pkg/authn/handle_http_apps.go
@@ -25,17 +25,22 @@ import (
 	"github.com/greenpau/go-authcrunch/pkg/authn/ui"
 	"github.com/greenpau/go-authcrunch/pkg/requests"
 	"github.com/greenpau/go-authcrunch/pkg/user"
+	"go.uber.org/zap"
 )
 
 func (p *Portal) handleHTTPApps(ctx context.Context, w http.ResponseWriter, r *http.Request, rr *requests.Request, usr *user.User, appName string) error {
 	p.disableClientCache(w)
 	p.injectRedirectURL(ctx, w, r, rr)
-	if usr == nil {
+	if usr == nil && !strings.HasSuffix(r.URL.Path, appName+"/manifest.json") {
+		p.logger.Debug("app asset download is unauthorized", zap.String("app_name", appName), zap.String("app_file_url_path", r.URL.Path))
 		return p.handleHTTPError(ctx, w, r, rr, http.StatusUnauthorized)
 	}
 
 	if err := p.authorizedRole(usr, []role.Kind{role.Admin, role.User}, rr.Response.Authenticated); err != nil {
-		return p.handleHTTPError(ctx, w, r, rr, http.StatusForbidden)
+		if !strings.HasSuffix(r.URL.Path, appName+"/manifest.json") {
+			p.logger.Debug("app asset download is forbidden", zap.String("app_name", appName), zap.String("app_file_url_path", r.URL.Path))
+			return p.handleHTTPError(ctx, w, r, rr, http.StatusForbidden)
+		}
 	}
 
 	var assetPath string
@@ -46,6 +51,7 @@ func (p *Portal) handleHTTPApps(ctx context.Context, w http.ResponseWriter, r *h
 			assetPath = appName + "/" + assetPath
 		}
 	default:
+		p.logger.Debug("asset download for unsupported app", zap.String("app_name", appName), zap.String("app_file_url_path", r.URL.Path))
 		return p.handleHTTPRenderError(ctx, w, r, rr, fmt.Errorf("file not found"))
 	}
 
@@ -55,9 +61,11 @@ func (p *Portal) handleHTTPApps(ctx context.Context, w http.ResponseWriter, r *h
 		if strings.HasSuffix(assetPath, "/") || strings.Count(assetPath, "/") >= 3 || strings.HasSuffix(assetPath, "/new") {
 			asset, err = ui.AppAssets.GetAsset(appName + "/")
 			if err != nil {
+				p.logger.Debug("app asset download not found", zap.String("app_name", appName), zap.String("app_file_url_path", r.URL.Path), zap.String("asset_path", assetPath))
 				return p.handleHTTPError(ctx, w, r, rr, http.StatusNotFound)
 			}
 		} else {
+			p.logger.Debug("app asset download not found", zap.String("app_name", appName), zap.String("app_file_url_path", r.URL.Path), zap.String("asset_path", assetPath))
 			return p.handleHTTPError(ctx, w, r, rr, http.StatusNotFound)
 		}
 	}

diff --git a/pkg/authn/respond_http.go b/pkg/authn/respond_http.go
@@ -306,7 +306,7 @@ func (p *Portal) authorizeRequest(ctx context.Context, w http.ResponseWriter, r
 	return usr, nil
 }
 
-func extractBaseURLPath(ctx context.Context, r *http.Request, rr *requests.Request, s string) {
+func extractBaseURLPath(_ context.Context, r *http.Request, rr *requests.Request, s string) {
 	baseURL, basePath := util.GetBaseURL(r, s)
 	rr.Upstream.BaseURL = baseURL
 	if basePath == "/" {
@@ -328,12 +328,12 @@ func extractBasePath(ctx context.Context, r *http.Request, rr *requests.Request)
 	case r.URL.Path == "/auth":
 		rr.Upstream.BaseURL = util.GetCurrentBaseURL(r)
 		rr.Upstream.BasePath = "/auth/"
+	case strings.Contains(r.URL.Path, "/profile/"):
+		extractBaseURLPath(ctx, r, rr, "/profile")
 	case strings.HasSuffix(r.URL.Path, "/portal"):
 		extractBaseURLPath(ctx, r, rr, "/portal")
 	case strings.Contains(r.URL.Path, "/sandbox/"):
 		extractBaseURLPath(ctx, r, rr, "/sandbox/")
-	case strings.Contains(r.URL.Path, "/settings"):
-		extractBaseURLPath(ctx, r, rr, "/settings")
 	case strings.HasSuffix(r.URL.Path, "/recover"), strings.HasSuffix(r.URL.Path, "/forgot"):
 		extractBaseURLPath(ctx, r, rr, "/recover,/forgot")
 	case strings.HasSuffix(r.URL.Path, "/register"):