From 377cb77307c4baa7a5474482ddc3d36eb170c200 Mon Sep 17 00:00:00 2001 From: Owen Date: Mon, 13 Oct 2025 15:34:11 -0700 Subject: [PATCH] Returning unauthorized --- server/routers/badger/verifySession.ts | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/server/routers/badger/verifySession.ts b/server/routers/badger/verifySession.ts index b1692dce..7c66ea7b 100644 --- a/server/routers/badger/verifySession.ts +++ b/server/routers/badger/verifySession.ts @@ -33,9 +33,7 @@ import createHttpError from "http-errors"; import NodeCache from "node-cache"; import { z } from "zod"; import { fromError } from "zod-validation-error"; -import { - getCountryCodeForIp, -} from "@server/lib/geoip"; +import { getCountryCodeForIp } from "@server/lib/geoip"; import { getOrgTierData } from "#dynamic/lib/billing"; import { TierId } from "@server/lib/billing/tiers"; import { verifyPassword } from "@server/auth/password"; @@ -198,7 +196,7 @@ export async function verifyResourceSession( // IMPORTANT: ADD NEW AUTH CHECKS HERE OR WHEN TURNING OFF ALL OTHER AUTH METHODS IT WILL JUST PASS if ( - !resource.sso && + !sso && !pincode && !password && !resource.emailWhitelistEnabled && @@ -315,8 +313,22 @@ export async function verifyResourceSession( return allowed(res); } - // if there are no other auth methods we need to return unauthorized here - if (!sso && !pincode && !password && !resource.emailWhitelistEnabled) { + if ( // we dont want to redirect if this is the only auth method and we did not pass here + !sso && + !pincode && + !password && + !resource.emailWhitelistEnabled + ) { + return notAllowed(res); + } + } else if (headerAuth) { + // if there are no other auth methods we need to return unauthorized if nothing is provided + if ( + !sso && + !pincode && + !password && + !resource.emailWhitelistEnabled + ) { return notAllowed(res); } }