From 8f5ce1d9fc59ce9ad2e1947c0e2b8b6d8012d701 Mon Sep 17 00:00:00 2001
From: Yorick van Pelt <yorick@yorickvanpelt.nl>
Date: Sun, 30 Apr 2023 21:26:10 +0200
Subject: [PATCH] improve rl.authenticateUser

---
 handlers.go | 39 ++++++++++++++++++---------------------
 1 file changed, 18 insertions(+), 21 deletions(-)

diff --git a/handlers.go b/handlers.go
index 35cb9e3..0d24945 100644
--- a/handlers.go
+++ b/handlers.go
@@ -246,22 +246,11 @@ func (rl *rushlink) viewActionSuccess(w http.ResponseWriter, r *http.Request, p
 
 func (rl *rushlink) newPasteHandler(w http.ResponseWriter, r *http.Request) {
 	// Check if the user is authenticated
-	username, password, ok := r.BasicAuth()
-	if !ok {
-		// User is not authenticated, return a 401 Unauthorized response
-		w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
-		w.WriteHeader(http.StatusUnauthorized)
+	user := rl.authenticateUser(w, r, false, nil)
+	if user == nil {
 		return
 	}
 
-	// Authenticate the user
-	user, err := db.Authenticate(rl.db, username, password)
-	if err != nil {
-		// Authentication failed, return a 401 Unauthorized response
-		w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
-		w.WriteHeader(http.StatusUnauthorized)
-		return
-	}
 	if err := r.ParseMultipartForm(formParseMaxMemory); err != nil {
 		msg := fmt.Sprintf("could not parse form: %v\n", err)
 		rl.renderError(w, r, http.StatusBadRequest, msg)
@@ -322,25 +311,33 @@ func (rl *rushlink) createUserHandler(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusCreated)
 }
 
+func (rl *rushlink) setWWWAuthenticate(w http.ResponseWriter, r *http.Request) {
+	// Set authentication headers for Basic Authentication
+	w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
+	w.WriteHeader(http.StatusUnauthorized)
+}
+
 func (rl *rushlink) authenticateUser(w http.ResponseWriter, r *http.Request, shouldBeAdmin bool, canAlsoBe *string) *db.User {
 	// Check if the user is authenticated
 	username, password, ok := r.BasicAuth()
 	if !ok {
 		// User is not authenticated, return a 401 Unauthorized response
-		w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
-		w.WriteHeader(http.StatusUnauthorized)
+		rl.setWWWAuthenticate(w, r)
 		return nil
 	}
 
 	// Authenticate the user
 	user, err := db.Authenticate(rl.db, username, password)
-	if err != nil || (shouldBeAdmin && !user.Admin && (canAlsoBe == nil || *canAlsoBe != user.User)) {
+	if err != nil {
+		rl.setWWWAuthenticate(w, r)
+		log.Printf("authentication failure: %s", err)
+		return nil
+	}
+
+	if (shouldBeAdmin && !user.Admin && (canAlsoBe == nil || *canAlsoBe != user.User)) {
 		// Authentication failed, return a 401 Unauthorized response
-		w.Header().Set("WWW-Authenticate", `Basic realm="Restricted"`)
-		w.WriteHeader(http.StatusUnauthorized)
-		if err != nil {
-			log.Printf("authentication failure: %s", err)
-		}
+		rl.setWWWAuthenticate(w, r)
+		log.Printf("user '%s' should be admin (or '%s'), but isn't", username, canAlsoBe)
 		return nil
 	}
 	return user