Auth: Perform authentication only once and not lazily

Since authentication is now performed even for static resources, there's no reason anymore to support implicit authentication. This also limits authentication attempts to a single one, previously failed attempts were repeated. Requiring authentication during bootstrapping, i.e. before authentication has been performed, will now throw an error. refs #5265
2026-06-09 00:22:45 -04:00 · 2025-07-08 14:22:56 +02:00 · 2025-07-08 14:22:56 +02:00 · 3a61473301
commit 3a61473301
parent e7c5bb33d7
2 changed files with 54 additions and 15 deletions
--- a/library/Icinga/Application/EmbeddedWeb.php
+++ b/library/Icinga/Application/EmbeddedWeb.php
@ -122,14 +122,9 @@ class EmbeddedWeb extends ApplicationBootstrap
    protected function setupUser(): static
    {
        $auth = Auth::getInstance();
-        if (! $this->request->isXmlHttpRequest() && $this->request->isApiRequest() && ! $auth->isAuthenticated()) {
-            $auth->authHttp();
-        }
-
-        if ($auth->isAuthenticated()) {
-            $user = $auth->getUser();
-            $this->getRequest()->setUser($user);
-            $this->user = $user;
+        if ($auth->authenticate()->isAuthenticated()) {
+            $this->user = $auth->getUser();
+            $this->getRequest()->setUser($this->user);
        }

        return $this;
--- a/library/Icinga/Authentication/Auth.php
+++ b/library/Icinga/Authentication/Auth.php
@ -21,6 +21,8 @@ use Icinga\User\Preferences;
 use Icinga\User\Preferences\PreferencesStore;
 use Icinga\Web\Session;
 use Icinga\Web\StyleSheet;
+use LogicException;
+use RuntimeException;

 class Auth
 {
@ -52,6 +54,14 @@ class Auth
     */
    private $user;

+    /**
+     * Whether the user has been authenticated
+     *
+     * If true, this does NOT mean authentication was successful.
+     *
+     * @var bool
+     */
+    private bool $authenticated = false;

    /**
     * @see getInstance()
@ -90,14 +100,14 @@ class Auth
     */
    public function isAuthenticated()
    {
-        if ($this->user !== null) {
-            return true;
+        if (! $this->authenticated) {
+            throw new RuntimeException(
+                'This should not happen. Please report this as a bug.'
+                . 'Include the full stack trace in your report and a list of *all* installed modules.'
+            );
        }
-        $this->authenticateFromSession();
-        if ($this->user === null && ! $this->authExternal()) {
-            return false;
-        }
-        return true;
+
+        return $this->user !== null;
    }

    public function setAuthenticated(User $user, $persist = true)
@ -212,6 +222,40 @@ class Auth
    public function setUser(User $user)
    {
        $this->user = $user;
+        $this->authenticated = true;
+
+        return $this;
+    }
+
+    /**
+     * Authenticate the user
+     *
+     * This method will try to authenticate the user using the session first, then external backends and finally HTTP
+     * authentication. If authentication has already been performed, an exception will be thrown.
+     *
+     * @throws LogicException If authentication has already been performed
+     *
+     * @return $this
+     */
+    public function authenticate(): static
+    {
+        if ($this->authenticated) {
+            throw new LogicException('Cannot perform authentication more than once');
+        }
+
+        $this->authenticateFromSession();
+        if ($this->user === null) {
+            $this->authExternal();
+
+            if ($this->user === null
+                && $this->getRequest()->isApiRequest()
+                && ! $this->getRequest()->isXmlHttpRequest()
+            ) {
+                $this->authHttp();
+            }
+        }
+
+        $this->authenticated = true;

        return $this;
    }