Skip OIDC auth for non-protected paths later in middleware

lovasoa · lovasoa · commit 18769eb50aa4 · 2025-07-25T00:54:55.000+02:00
We still want to be able to access authenticated user's info in
non-authenticated parts of the app.

We crucially need to check request.path() == SQLPAGE_REDIRECT_URI before
the protected_paths check
diff --git a/src/webserver/oidc.rs b/src/webserver/oidc.rs
@@ -181,7 +181,11 @@ pub struct OidcService<S> {
     oidc_state: Arc<OidcState>,
 }
 
-impl<S> OidcService<S> {
+impl<S> OidcService<S>
+where
+    S: Service<ServiceRequest, Response = ServiceResponse<BoxBody>, Error = Error>,
+    S::Future: 'static,
+{
     pub fn new(service: S, oidc_state: Arc<OidcState>) -> Self {
         Self {
             service,
@@ -199,6 +203,20 @@ impl<S> OidcService<S> {
             return self.handle_oidc_callback(request);
         }
 
+        if !self
+            .oidc_state
+            .config
+            .protected_paths
+            .iter()
+            .any(|path| request.path().starts_with(path))
+        {
+            log::debug!(
+                "The request path {} is not in a protected path, skipping OIDC authentication",
+                request.path()
+            );
+            return Box::pin(self.service.call(request));
+        }
+
         log::debug!("Redirecting to OIDC provider");
 
         let response = build_auth_provider_redirect_response(
@@ -245,18 +263,6 @@ where
     fn call(&self, request: ServiceRequest) -> Self::Future {
         log::trace!("Started OIDC middleware request handling");
 
-        let protected_paths = &self.oidc_state.config.protected_paths;
-        if !protected_paths
-            .iter()
-            .any(|path| request.path().starts_with(path))
-        {
-            log::debug!(
-                "The request path {} is not in a protected path, skipping OIDC authentication",
-                request.path()
-            );
-            return Box::pin(self.service.call(request));
-        }
-
         let oidc_client = Arc::clone(&self.oidc_state.client);
         match get_authenticated_user_info(&oidc_client, &request) {
             Ok(Some(claims)) => {
