Why is the current user being set in the context before the password is validated?

Question

Why is the current user being set in the context before the password is validated?

ibraheemdev opened this issue 4 years ago · 1 comments

Why is the current user being set in the context before the password is validated? In auth.go

authUser := authboss.MustBeAuthable(pidUser)
password := authUser.GetPassword()

// Sets the current user first?
r = r.WithContext(context.WithValue(r.Context(), authboss.CTXKeyUser, pidUser))

// Then validates the password???
var handled bool
err = bcrypt.CompareHashAndPassword(....

And in context.go, the CurrentUser method returns the same context value as the current user:

func (a *Authboss) CurrentUser(r *http.Request) (User, error) {
  if user := r.Context().Value(CTXKeyUser); user != nil {
    return user.(User), nil
  }
...

Is there a gaping security hole where the current user being set even if the login fails? What am I missing here?

Answer 1 · 2020-08-10T10:50:12.000Z

I realized that context is only stored during the request lifecycle, and is freed after the response is sent back. The uset context is stored for use by other middleware.