From 04a8ef7c356ed6149743b14ef75811f7c7745236 Mon Sep 17 00:00:00 2001
From: David Christofas <dchristofas@owncloud.com>
Date: Wed, 29 Sep 2021 10:19:12 +0200
Subject: [PATCH] fix the account resolver middleware

---
 changelog/unreleased/fix-account-resolver.md |  6 +++++
 proxy/pkg/middleware/account_resolver.go     | 27 +++++++++++++++-----
 2 files changed, 27 insertions(+), 6 deletions(-)
 create mode 100644 changelog/unreleased/fix-account-resolver.md

diff --git a/changelog/unreleased/fix-account-resolver.md b/changelog/unreleased/fix-account-resolver.md
new file mode 100644
index 00000000000..04a4e7e0828
--- /dev/null
+++ b/changelog/unreleased/fix-account-resolver.md
@@ -0,0 +1,6 @@
+Bugfix: Fix the account resolver middleware
+
+The accounts resolver middleware put an empty token into the request when the user was already present.
+Added a step to get the token for the user.
+
+https://github.com/owncloud/ocis/pull/2557
diff --git a/proxy/pkg/middleware/account_resolver.go b/proxy/pkg/middleware/account_resolver.go
index ec259b50cb8..636a1a0190e 100644
--- a/proxy/pkg/middleware/account_resolver.go
+++ b/proxy/pkg/middleware/account_resolver.go
@@ -42,7 +42,7 @@ type accountResolver struct {
 func (m accountResolver) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	ctx := req.Context()
 	claims := oidc.FromContext(ctx)
-	u, ok := revactx.ContextGetUser(ctx)
+	user, ok := revactx.ContextGetUser(ctx)
 	token := ""
 	// TODO what if an X-Access-Token is set? happens eg for download requests to the /data endpoint in the reva frontend
 
@@ -51,7 +51,7 @@ func (m accountResolver) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	if u == nil && claims != nil {
+	if user == nil && claims != nil {
 
 		var err error
 		var value string
@@ -62,7 +62,7 @@ func (m accountResolver) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 			return
 		}
 
-		u, token, err = m.userProvider.GetUserByClaims(req.Context(), m.userCS3Claim, value, true)
+		user, token, err = m.userProvider.GetUserByClaims(req.Context(), m.userCS3Claim, value, true)
 
 		if errors.Is(err, backend.ErrAccountNotFound) {
 			m.logger.Debug().Str("claim", m.userOIDCClaim).Str("value", value).Msg("User by claim not found")
@@ -72,7 +72,7 @@ func (m accountResolver) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 				return
 			}
 			m.logger.Debug().Interface("claims", claims).Msg("Autoprovisioning user")
-			u, err = m.userProvider.CreateUserFromClaims(req.Context(), claims)
+			user, err = m.userProvider.CreateUserFromClaims(req.Context(), claims)
 			// TODO instead of creating an account create a personal storage via the CS3 admin api?
 			// see https://cs3org.github.io/cs3apis/#cs3.admin.user.v1beta1.CreateUserRequest
 		}
@@ -90,10 +90,25 @@ func (m accountResolver) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		}
 
 		// add user to context for selectors
-		ctx = revactx.ContextSetUser(ctx, u)
+		ctx = revactx.ContextSetUser(ctx, user)
 		req = req.WithContext(ctx)
 
-		m.logger.Debug().Interface("claims", claims).Interface("user", u).Msg("associated claims with user")
+		m.logger.Debug().Interface("claims", claims).Interface("user", user).Msg("associated claims with user")
+	} else if user != nil {
+		var err error
+		_, token, err = m.userProvider.GetUserByClaims(req.Context(), "username", user.Username, true)
+
+		if errors.Is(err, backend.ErrAccountDisabled) {
+			m.logger.Debug().Interface("user", user).Msg("Disabled")
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+
+		if err != nil {
+			m.logger.Error().Err(err).Msg("Could not get user by claim")
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
 	}
 
 	req.Header.Set(revactx.TokenHeader, token)