fix: oauth account linking broken due to redundant auth check

0PandaDEV · 0PandaDEV · commit 439c8462aeaf · 2025-11-06T15:05:22.000+01:00
diff --git a/server/api/auth/epilogue/link.get.ts b/server/api/auth/epilogue/link.get.ts
@@ -37,14 +37,6 @@ export default defineEventHandler(async (event: H3Event) => {
     });
   }
 
-  if (!event.context.user) {
-    console.error("Epilogue Link error: Unauthorized access attempt");
-    throw createError({
-      statusCode: 401,
-      message: "Unauthorized",
-    });
-  }
-
   const sessionCookie = getCookie(event, "ziit_session");
 
   if (!sessionCookie) {
diff --git a/server/api/auth/github/link.get.ts b/server/api/auth/github/link.get.ts
@@ -37,15 +37,7 @@ export default defineEventHandler(async (event: H3Event) => {
     });
   }
 
-  if (!event.context.user) {
-    console.error("GitHub Link error: Unauthorized access attempt");
-    throw createError({
-      statusCode: 401,
-      message: "Unauthorized",
-    });
-  }
-
-  const sessionCookie = getCookie(event, "session");
+  const sessionCookie = getCookie(event, "ziit_session");
 
   if (!sessionCookie) {
     throw createError({
diff --git a/server/middleware/auth.ts b/server/middleware/auth.ts
@@ -8,8 +8,8 @@ const AUTH_CONFIG = {
   publicApiPaths: [
     "/api/external/",
     "/api/auth/",
-    "/api/public",
-    "/api/leaderboard",
+    "/api/public/",
+    "/api/leaderboard/",
   ],
   publicPages: [
     "/stats",
@@ -32,16 +32,13 @@ export default defineEventHandler(async (event: H3Event) => {
     return;
   }
 
-  if (path.startsWith("/api/")) {
-    if (!sessionCookie) {
+  if (!sessionCookie) {
+    if (path.startsWith("/api/")) {
       throw createError({
         statusCode: 401,
         message: "Unauthorized",
       });
     }
-  }
-
-  if (!sessionCookie) {
     return sendRedirect(event, AUTH_CONFIG.loginRedirectPath);
   }
 
@@ -64,8 +61,15 @@ export default defineEventHandler(async (event: H3Event) => {
     event.context.user = user;
     return;
   } catch (error) {
-    console.error(error);
+    console.error("Auth middleware error:", error);
     deleteCookie(event, AUTH_CONFIG.sessionCookieName);
+
+    if (path.startsWith("/api/")) {
+      throw createError({
+        statusCode: 401,
+        message: "Unauthorized",
+      });
+    }
     return sendRedirect(event, AUTH_CONFIG.loginRedirectPath);
   }
 });
@@ -76,6 +80,5 @@ function isPublicPath(path: string): boolean {
       return true;
     }
   }
-  
   return AUTH_CONFIG.publicPages.includes(path);
 }
