add unauthorised200 parameter to /user endpoint

Author: paskal

backend/app/rest/api/rest.go

@@ -291,10 +291,17 @@ func (s *Rest) routes() chi.Router {
 			rauth.Use(middleware.Timeout(30 * time.Second))
 			rauth.Use(tollbooth_chi.LimitHandler(tollbooth.NewLimiter(10, nil)))
 			rauth.Use(authMiddleware.Auth, matchSiteID, middleware.NoCache, logInfoWithBody)
-			rauth.Get("/user", s.privRest.userInfoCtrl)
 			rauth.Get("/userdata", s.privRest.userAllDataCtrl)
 		})
 
+		// protected routes, user is set but checked inside the handlers
+		rapi.Group(func(rauthOptional chi.Router) {
+			rauthOptional.Use(middleware.Timeout(30 * time.Second))
+			rauthOptional.Use(tollbooth_chi.LimitHandler(tollbooth.NewLimiter(10, nil)))
+			rauthOptional.Use(authMiddleware.Trace, middleware.NoCache, logInfoWithBody)
+			rauthOptional.Get("/user", s.privRest.userInfoCtrl)
+		})
+
 		// admin routes, require auth and admin users only
 		rapi.Route("/admin", func(radmin chi.Router) {
 			radmin.Use(middleware.Timeout(30 * time.Second))

backend/app/rest/api/rest_private.go

@@ -236,9 +236,22 @@ func (s *private) updateCommentCtrl(w http.ResponseWriter, r *http.Request) {
 	render.JSON(w, r, res)
 }
 
-// GET /user?site=siteID - returns user info
+// GET /user?site=siteID&unauthorised200=false - returns user info, with unauthorised200=true returns 200 with error message
 func (s *private) userInfoCtrl(w http.ResponseWriter, r *http.Request) {
-	user := rest.MustGetUserInfo(r)
+	user, err := rest.GetUserInfo(r)
+	if err != nil {
+		log.Printf("[ERROR] unathorised200: %s (%v)", r.URL.Query().Get("unauthorised200"), r.URL.Query().Get("unauthorised200") == "true")
+		if r.URL.Query().Get("unauthorised200") == "true" {
+			render.JSON(w, r, R.JSON{"error": err.Error()})
+			return
+		}
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	// as user is set, call matchSiteID middleware to verify SiteID match
+	matchSiteID(http.HandlerFunc(func(_ http.ResponseWriter, _ *http.Request) {})).ServeHTTP(w, r)
+
 	if siteID := r.URL.Query().Get("site"); siteID != "" {
 		user.Verified = s.dataService.IsVerified(siteID, user.ID)
 

frontend/apps/remark42/app/common/api.ts

@@ -60,8 +60,16 @@ export const removeMyComment = (id: Comment['id']): Promise<void> =>
 
 export const getPreview = (text: string): Promise<string> => apiFetcher.post('/preview', {}, { text });
 
-export function getUser(): Promise<User | null> {
-  return apiFetcher.get<User | null>('/user').catch(() => null);
+export function getUser(unauthorised200= true): Promise<User | null> {
+  return apiFetcher
+    .get<User | null>('/user', { unauthorised200: String(unauthorised200) })
+    .then((response) => {
+      if (unauthorised200 && response && 'error' in response) {
+        return null;
+      }
+      return response;
+    })
+    .catch(() => null);
 }
 
 export const uploadImage = (image: File): Promise<Image> => {

frontend/packages/api/clients/public.ts

@@ -93,8 +93,16 @@ export function createPublicClient({ siteId: site, baseUrl }: ClientParams) {
 	/**
 	 * Get current authorized user
 	 */
-	async function getUser(): Promise<User | null> {
-		return fetcher.get<User | null>('/user').catch(() => null)
+	async function getUser(unauthorised200= true): Promise<User | null> {
+		return fetcher
+			.get<User | null>('/user', { unauthorised200: String(unauthorised200) })
+			.then((response) => {
+				if (unauthorised200 && response && 'error' in response) {
+					return null;
+				}
+				return response;
+			})
+			.catch(() => null);
 	}
 
 	/**