Cleanup SyncOnLogin Handling

internal/auth/auth.go

@@ -22,7 +22,7 @@ import (
 
 type Authenticator interface {
 	Init(config interface{}) error
-	CanLogin(user *schema.User, username string, rw http.ResponseWriter, r *http.Request) bool
+	CanLogin(user *schema.User, username string, rw http.ResponseWriter, r *http.Request) (*schema.User, bool)
 	Login(user *schema.User, rw http.ResponseWriter, r *http.Request) (*schema.User, error)
 }
 
@@ -148,7 +148,7 @@ func (auth *Authentication) Login(
 	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		err := errors.New("no authenticator applied")
 		username := r.FormValue("username")
-		dbUser := (*schema.User)(nil)
+		var dbUser *schema.User
 
 		if username != "" {
 			dbUser, err = repository.GetUserRepository().GetUser(username)
@@ -158,11 +158,13 @@ func (auth *Authentication) Login(
 		}
 
 		for _, authenticator := range auth.authenticators {
-			if !authenticator.CanLogin(dbUser, username, rw, r) {
+			var ok bool
+			var user *schema.User
+			if user, ok = authenticator.CanLogin(dbUser, username, rw, r); !ok {
 				continue
 			}
 
-			user, err := authenticator.Login(dbUser, rw, r)
+			user, err = authenticator.Login(user, rw, r)
 			if err != nil {
 				log.Warnf("user login failed: %s", err.Error())
 				onfailure(rw, r, err)

internal/auth/jwtCookieSession.go

@@ -11,6 +11,7 @@ import (
 	"net/http"
 	"os"
 
+	"github.com/ClusterCockpit/cc-backend/internal/repository"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
 	"github.com/golang-jwt/jwt/v4"
@@ -88,7 +89,7 @@ func (ja *JWTCookieSessionAuthenticator) CanLogin(
 	user *schema.User,
 	username string,
 	rw http.ResponseWriter,
-	r *http.Request) bool {
+	r *http.Request) (*schema.User, bool) {
 
 	cookieName := ""
 	if ja.config != nil && ja.config.CookieName != "" {
@@ -100,11 +101,11 @@ func (ja *JWTCookieSessionAuthenticator) CanLogin(
 		jwtCookie, err := r.Cookie(cookieName)
 
 		if err == nil && jwtCookie.Value != "" {
-			return true
+			return user, true
 		}
 	}
 
-	return false
+	return nil, false
 }
 
 func (ja *JWTCookieSessionAuthenticator) Login(
@@ -194,6 +195,12 @@ func (ja *JWTCookieSessionAuthenticator) Login(
 			AuthType:   schema.AuthSession,
 			AuthSource: schema.AuthViaToken,
 		}
+
+		if ja.config.SyncUserOnLogin {
+			if err := repository.GetUserRepository().AddUser(user); err != nil {
+				log.Errorf("Error while adding user '%s' to DB", user.Username)
+			}
+		}
 	}
 
 	return user, nil

internal/auth/jwtSession.go

@@ -44,9 +44,9 @@ func (ja *JWTSessionAuthenticator) CanLogin(
 	user *schema.User,
 	username string,
 	rw http.ResponseWriter,
-	r *http.Request) bool {
+	r *http.Request) (*schema.User, bool) {
 
-	return r.Header.Get("Authorization") != "" || r.URL.Query().Get("login-token") != ""
+	return user, r.Header.Get("Authorization") != "" || r.URL.Query().Get("login-token") != ""
 }
 
 func (ja *JWTSessionAuthenticator) Login(
@@ -130,10 +130,12 @@ func (ja *JWTSessionAuthenticator) Login(
 			AuthSource: schema.AuthViaToken,
 		}
 
+		if ja.config.SyncUserOnLogin {
 			if err := repository.GetUserRepository().AddUser(user); err != nil {
 				log.Errorf("Error while adding user '%s' to DB", user.Username)
 			}
 		}
+	}
 
 	return user, nil
 }

internal/auth/ldap.go

@@ -67,33 +67,34 @@ func (la *LdapAuthenticator) CanLogin(
 	user *schema.User,
 	username string,
 	rw http.ResponseWriter,
-	r *http.Request) bool {
+	r *http.Request) (*schema.User, bool) {
 
 	if user != nil && user.AuthSource == schema.AuthViaLDAP {
-		return true
+		return user, true
 	} else {
 		if la.config != nil && la.config.SyncUserOnLogin {
 			l, err := la.getLdapConnection(true)
 			if err != nil {
 				log.Error("LDAP connection error")
 			}
+			defer l.Close()
 
 			// Search for the given username
 			searchRequest := ldap.NewSearchRequest(
 				la.config.UserBase,
 				ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-				fmt.Sprintf("(%s(uid=%s))", la.config.UserFilter, username),
+				fmt.Sprintf("(&%s(uid=%s))", la.config.UserFilter, username),
 				[]string{"dn", "uid", "gecos"}, nil)
 
 			sr, err := l.Search(searchRequest)
 			if err != nil {
 				log.Warn(err)
-				return false
+				return user, false
 			}
 
 			if len(sr.Entries) != 1 {
 				log.Warn("User does not exist or too many entries returned")
-				return false
+				return user, false
 			}
 
 			entry := sr.Entries[0]
@@ -113,7 +114,7 @@ func (la *LdapAuthenticator) CanLogin(
 
 			if err := repository.GetUserRepository().AddUser(user); err != nil {
 				log.Errorf("User '%s' LDAP: Insert into DB failed", username)
-				return false
+				return nil, false
 			}
 
 			// if _, err := la.auth.db.Exec(`INSERT INTO user (username, ldap, name, roles) VALUES (?, ?, ?, ?)`,
@@ -122,11 +123,11 @@ func (la *LdapAuthenticator) CanLogin(
 			// 	return false
 			// }
 
-			return true
+			return user, true
 		}
 	}
 
-	return false
+	return nil, false
 }
 
 func (la *LdapAuthenticator) Login(
@@ -176,7 +177,7 @@ func (la *LdapAuthenticator) Sync() error {
 	ldapResults, err := l.Search(ldap.NewSearchRequest(
 		la.config.UserBase,
 		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-		fmt.Sprintf("(%s(uid=%s))", la.config.UserFilter, "*"),
+		la.config.UserFilter,
 		[]string{"dn", "uid", "gecos"}, nil))
 	if err != nil {
 		log.Warn("LDAP search error")

internal/auth/local.go

@@ -29,9 +29,9 @@ func (la *LocalAuthenticator) CanLogin(
 	user *schema.User,
 	username string,
 	rw http.ResponseWriter,
-	r *http.Request) bool {
+	r *http.Request) (*schema.User, bool) {
 
-	return user != nil && user.AuthSource == schema.AuthViaLocalPassword
+	return user, user != nil && user.AuthSource == schema.AuthViaLocalPassword
 }
 
 func (la *LocalAuthenticator) Login(