setup: auto login after creating the first admin

2021-05-16 21:36:57 +02:00 · 2021-05-16 21:36:57 +02:00 · 60cfbd2989
commit 60cfbd2989
parent 8ecf64f481
3 changed files with 61 additions and 48 deletions
--- a/httpd/httpd_test.go
+++ b/httpd/httpd_test.go
@ -5192,6 +5192,11 @@ func TestWebAdminSetupMock(t *testing.T) {
 	rr = executeRequest(req)
 	checkResponseCode(t, http.StatusFound, rr)
 	assert.Equal(t, webAdminSetupPath, rr.Header().Get("Location"))
+	req, err = http.NewRequest(http.MethodGet, webLoginPath, nil)
+	assert.NoError(t, err)
+	rr = executeRequest(req)
+	checkResponseCode(t, http.StatusFound, rr)
+	assert.Equal(t, webAdminSetupPath, rr.Header().Get("Location"))

 	csrfToken, err := getCSRFToken(httpBaseURL + webAdminSetupPath)
 	assert.NoError(t, err)
@ -5250,8 +5255,8 @@ func TestWebAdminSetupMock(t *testing.T) {
 	assert.NoError(t, err)
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	rr = executeRequest(req)
-	checkResponseCode(t, http.StatusSeeOther, rr)
-	assert.Equal(t, webLoginPath, rr.Header().Get("Location"))
+	checkResponseCode(t, http.StatusFound, rr)
+	assert.Equal(t, webUsersPath, rr.Header().Get("Location"))
 	// if we resubmit the form we get a bad request, an admin already exists
 	req, err = http.NewRequest(http.MethodPost, webAdminSetupPath, bytes.NewBuffer([]byte(form.Encode())))
 	assert.NoError(t, err)
--- a/httpd/server.go
+++ b/httpd/server.go
@ -197,13 +197,61 @@ func (s *httpdServer) handleWebAdminLoginPost(w http.ResponseWriter, r *http.Req
 		renderLoginPage(w, err.Error())
 		return
 	}
+	s.loginAdmin(w, r, &admin)
+}
+
+func (s *httpdServer) handleWebAdminSetupPost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxLoginPostSize)
+	if dataprovider.HasAdmin() {
+		renderBadRequestPage(w, r, errors.New("an admin user already exists"))
+		return
+	}
+	err := r.ParseForm()
+	if err != nil {
+		renderAdminSetupPage(w, r, "", err.Error())
+		return
+	}
+	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
+		renderForbiddenPage(w, r, err.Error())
+		return
+	}
+	username := r.Form.Get("username")
+	password := r.Form.Get("password")
+	confirmPassword := r.Form.Get("confirm_password")
+	if username == "" {
+		renderAdminSetupPage(w, r, username, "Please set a username")
+		return
+	}
+	if password == "" {
+		renderAdminSetupPage(w, r, username, "Please set a password")
+		return
+	}
+	if password != confirmPassword {
+		renderAdminSetupPage(w, r, username, "Passwords mismatch")
+		return
+	}
+	admin := dataprovider.Admin{
+		Username:    username,
+		Password:    password,
+		Status:      1,
+		Permissions: []string{dataprovider.PermAdminAny},
+	}
+	err = dataprovider.AddAdmin(&admin)
+	if err != nil {
+		renderAdminSetupPage(w, r, username, err.Error())
+		return
+	}
+	s.loginAdmin(w, r, &admin)
+}
+
+func (s *httpdServer) loginAdmin(w http.ResponseWriter, r *http.Request, admin *dataprovider.Admin) {
 	c := jwtTokenClaims{
 		Username:    admin.Username,
 		Permissions: admin.Permissions,
 		Signature:   admin.GetSignature(),
 	}

-	err = c.createAndSetCookie(w, r, s.tokenAuth, tokenAudienceWebAdmin)
+	err := c.createAndSetCookie(w, r, s.tokenAuth, tokenAudienceWebAdmin)
 	if err != nil {
 		logger.Warn(logSender, "", "unable to set admin login cookie %v", err)
 		renderLoginPage(w, err.Error())
@ -539,7 +587,7 @@ func (s *httpdServer) initializeRouter() {
 		s.router.Get(webLoginPath, handleWebLogin)
 		s.router.Post(webLoginPath, s.handleWebAdminLoginPost)
 		s.router.Get(webAdminSetupPath, handleWebAdminSetupGet)
-		s.router.Post(webAdminSetupPath, handleWebAdminSetupPost)
+		s.router.Post(webAdminSetupPath, s.handleWebAdminSetupPost)

 		s.router.Group(func(router chi.Router) {
 			router.Use(jwtauth.Verify(s.tokenAuth, jwtauth.TokenFromCookie))
--- a/httpd/webadmin.go
+++ b/httpd/webadmin.go
@ -1038,6 +1038,10 @@ func handleWebLogout(w http.ResponseWriter, r *http.Request) {
 }

 func handleWebLogin(w http.ResponseWriter, r *http.Request) {
+	if !dataprovider.HasAdmin() {
+		http.Redirect(w, r, webAdminSetupPath, http.StatusFound)
+		return
+	}
 	renderLoginPage(w, "")
 }

@ -1125,50 +1129,6 @@ func handleWebAdminSetupGet(w http.ResponseWriter, r *http.Request) {
 	renderAdminSetupPage(w, r, "", "")
 }

-func handleWebAdminSetupPost(w http.ResponseWriter, r *http.Request) {
-	r.Body = http.MaxBytesReader(w, r.Body, maxLoginPostSize)
-	if dataprovider.HasAdmin() {
-		renderBadRequestPage(w, r, errors.New("an admin user already exists"))
-		return
-	}
-	err := r.ParseForm()
-	if err != nil {
-		renderAdminSetupPage(w, r, "", err.Error())
-		return
-	}
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken)); err != nil {
-		renderForbiddenPage(w, r, err.Error())
-		return
-	}
-	username := r.Form.Get("username")
-	password := r.Form.Get("password")
-	confirmPassword := r.Form.Get("confirm_password")
-	if username == "" {
-		renderAdminSetupPage(w, r, username, "Please set a username")
-		return
-	}
-	if password == "" {
-		renderAdminSetupPage(w, r, username, "Please set a password")
-		return
-	}
-	if password != confirmPassword {
-		renderAdminSetupPage(w, r, username, "Passwords mismatch")
-		return
-	}
-	admin := dataprovider.Admin{
-		Username:    username,
-		Password:    password,
-		Status:      1,
-		Permissions: []string{dataprovider.PermAdminAny},
-	}
-	err = dataprovider.AddAdmin(&admin)
-	if err != nil {
-		renderAdminSetupPage(w, r, username, err.Error())
-		return
-	}
-	http.Redirect(w, r, webLoginPath, http.StatusSeeOther)
-}
-
 func handleWebAddAdminGet(w http.ResponseWriter, r *http.Request) {
 	admin := &dataprovider.Admin{Status: 1}
 	renderAddUpdateAdminPage(w, r, admin, "", true)