user-api: fix Auth<T> request guards not forwarding

stadust · stadust · commit f57444bed6f8 · 2025-07-12T18:31:27.000+01:00
Sometimes, we have authenticated and unauthenticated variants of the same endpoint, with the implicit assumption that if a request had no authentication information (e.g. headers, cookies, whatevs), then rocket would pick the unauthenticated one. However, this only worked if the FromRequest impl for Auth<T> actually forwarded instead of returning an Unauthorized error on missing authentication information (as rocket will abort request processing when Outcome::Error is returned). Yet, this was not the case. While we are at it, forward with the correct status code (unauthorized instead of not found) Closes #270 Signed-off-by: stadust <43299462+stadust@users.noreply.github.com>
diff --git a/pointercrate-test/tests/user/login.rs b/pointercrate-test/tests/user/login.rs
@@ -96,7 +96,7 @@ pub async fn test_login_no_header(pool: Pool<Postgres>) {
     client
         .post("/api/v1/auth/", &())
         .header("X-Real-IP", "127.0.0.1")
-        .expect_status(Status::NotFound)
+        .expect_status(Status::Unauthorized)
         .execute()
         .await;
 }
diff --git a/pointercrate-user-api/src/auth.rs b/pointercrate-user-api/src/auth.rs
@@ -51,30 +51,26 @@ impl<'r> FromRequest<'r> for Auth<NonMutating> {
     type Error = UserError;
 
     async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
-        if request.cookies().get("access_token").is_none() {
-            return Outcome::Forward(Status::NotFound);
-        }
+        let Some(access_token) = request.cookies().get("access_token") else {
+            return Outcome::Forward(Status::Unauthorized);
+        };
 
         let pool = tryo_state!(request, PointercratePool);
         let permission_manager = tryo_state!(request, PermissionsManager).clone();
 
         let mut connection = tryo_result!(pool.transaction().await);
 
-        if let Some(access_token) = request.cookies().get("access_token") {
-            let access_claims = tryo_result!(AccessClaims::decode(access_token.value()));
-            let user = tryo_result!(AuthenticatedUser::by_id(tryo_result!(access_claims.id()), &mut connection).await);
-            let authenticated_for_get = tryo_result!(user.validate_cookie_claims(access_claims));
-
-            tryo_result!(audit_connection(&mut connection, authenticated_for_get.user().id).await);
+        let access_claims = tryo_result!(AccessClaims::decode(access_token.value()));
+        let user = tryo_result!(AuthenticatedUser::by_id(tryo_result!(access_claims.id()), &mut connection).await);
+        let authenticated_for_get = tryo_result!(user.validate_cookie_claims(access_claims));
 
-            return Outcome::Success(Auth {
-                user: authenticated_for_get,
-                connection,
-                permissions: permission_manager,
-            });
-        }
+        tryo_result!(audit_connection(&mut connection, authenticated_for_get.user().id).await);
 
-        CoreError::Unauthorized.into_outcome()
+        Outcome::Success(Auth {
+            user: authenticated_for_get,
+            connection,
+            permissions: permission_manager,
+        })
     }
 }
 
@@ -85,7 +81,7 @@ impl<'r> FromRequest<'r> for Auth<ApiToken> {
     async fn from_request(request: &'r Request<'_>) -> Outcome<Self, Self::Error> {
         // No auth header set, forward to the request handler that doesnt require authorization (if one exists)
         if request.headers().get_one("Authorization").is_none() && request.cookies().get("access_token").is_none() {
-            return Outcome::Forward(Status::NotFound);
+            return Outcome::Forward(Status::Unauthorized);
         }
 
         let pool = tryo_state!(request, PointercratePool);
@@ -125,7 +121,7 @@ impl<'r> FromRequest<'r> for Auth<ApiToken> {
             });
         }
 
-        CoreError::Unauthorized.into_outcome()
+        Outcome::Forward(Status::Unauthorized)
     }
 }
 
@@ -140,7 +136,7 @@ impl<'r> FromRequest<'r> for Auth<PasswordOrBrowser> {
 
         // No auth header set, forward to the request handler that doesnt require authorization (if one exists)
         if request.headers().get_one("Authorization").is_none() && request.cookies().get("access_token").is_none() {
-            return Outcome::Forward(Status::NotFound);
+            return Outcome::Forward(Status::Unauthorized);
         }
 
         let pool = tryo_state!(request, PointercratePool);
@@ -190,6 +186,6 @@ impl<'r> FromRequest<'r> for Auth<PasswordOrBrowser> {
             });
         }
 
-        CoreError::Unauthorized.into_outcome()
+        Outcome::Forward(Status::Unauthorized)
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -96,7 +96,7 @@ pub async fn test_login_no_header(pool: Pool<Postgres>) {`
`96`	`96`	`client`
`97`	`97`	`.post("/api/v1/auth/", &())`
`98`	`98`	`.header("X-Real-IP", "127.0.0.1")`
`99`		`- .expect_status(Status::NotFound)`
	`99`	`+ .expect_status(Status::Unauthorized)`
`100`	`100`	`.execute()`
`101`	`101`	`.await;`
`102`	`102`	`}`