From 3301800f42d2991382dff4929a18ad3eeffda29b Mon Sep 17 00:00:00 2001
From: Jamie Curnow <jc@jc21.com>
Date: Mon, 29 May 2023 15:18:18 +1000
Subject: [PATCH] prevent panic when sse token is not found

---
 backend/internal/api/middleware/auth.go     |  2 +-
 backend/internal/api/middleware/sse_auth.go | 12 +++++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/backend/internal/api/middleware/auth.go b/backend/internal/api/middleware/auth.go
index 7ca8c7e..8e5802f 100644
--- a/backend/internal/api/middleware/auth.go
+++ b/backend/internal/api/middleware/auth.go
@@ -29,7 +29,7 @@ func DecodeAuth() func(http.Handler) http.Handler {
 	}
 
 	tokenAuth := jwtauth.New("RS256", privateKey, publicKey)
-	return jwtauth.Verify(tokenAuth, jwtauth.TokenFromHeader)
+	return jwtauth.Verify(tokenAuth, jwtauth.TokenFromHeader, jwtauth.TokenFromQuery)
 }
 
 // Enforce is a authentication middleware to enforce access from the
diff --git a/backend/internal/api/middleware/sse_auth.go b/backend/internal/api/middleware/sse_auth.go
index 4644acc..5fa9e74 100644
--- a/backend/internal/api/middleware/sse_auth.go
+++ b/backend/internal/api/middleware/sse_auth.go
@@ -14,13 +14,23 @@ import (
 func SSEAuth(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
-
 		token, claims, err := jwtauth.FromContext(ctx)
+
 		if err != nil {
 			h.ResultErrorJSON(w, r, http.StatusUnauthorized, err.Error(), nil)
 			return
 		}
 
+		if token == nil {
+			h.ResultErrorJSON(w, r, http.StatusUnauthorized, "No token given", nil)
+			return
+		}
+
+		if claims != nil {
+			h.ResultErrorJSON(w, r, http.StatusUnauthorized, "Unauthorised", nil)
+			return
+		}
+
 		userID := uint(claims["uid"].(float64))
 		_, enabled := user.IsEnabled(userID)
 		if token == nil || !token.Valid || !enabled || !claims.VerifyIssuer("sse", true) {