From 6f1b4db4f5a0b76ac241df7cd435903448941d49 Mon Sep 17 00:00:00 2001 From: mkelvers Date: Wed, 13 May 2026 15:23:37 +0200 Subject: [PATCH] fix: enforce authentication by redirecting unauthenticated users to login --- internal/auth/middleware/middleware.go | 27 ++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/internal/auth/middleware/middleware.go b/internal/auth/middleware/middleware.go index b48f92e..ec2c14f 100644 --- a/internal/auth/middleware/middleware.go +++ b/internal/auth/middleware/middleware.go @@ -2,19 +2,34 @@ package middleware import ( "mal/internal/domain" + "net/http" "github.com/gin-gonic/gin" ) func AuthMiddleware(svc domain.AuthService) gin.HandlerFunc { return func(c *gin.Context) { - sessionID, err := c.Cookie("session_id") - if err == nil { - user, err := svc.ValidateSession(c.Request.Context(), sessionID) - if err == nil { - c.Set("User", user) - } + // Allow access to login and logout endpoints without authentication + if c.Request.URL.Path == "/login" || c.Request.URL.Path == "/logout" { + c.Next() + return } + + sessionID, err := c.Cookie("session_id") + if err != nil { + c.Redirect(http.StatusSeeOther, "/login") + c.Abort() + return + } + + user, err := svc.ValidateSession(c.Request.Context(), sessionID) + if err != nil { + c.Redirect(http.StatusSeeOther, "/login") + c.Abort() + return + } + + c.Set("User", user) c.Next() } }