EmbeddedWeb: Explicitly perform authentication

It is nowadays no exception that stylesheet may be dependent on who's using the app. So to avoid race conditions like in #5385 authentication is an explicit step during bootstrap now. fixes #5385
2025-07-27 07:44:04 +02:00 · 2025-07-08 14:16:42 +02:00 · 2025-07-08 14:16:42 +02:00 · a28eb4beb8
commit a28eb4beb8
parent dadff36660
2 changed files with 46 additions and 55 deletions
--- a/library/Icinga/Application/EmbeddedWeb.php
+++ b/library/Icinga/Application/EmbeddedWeb.php
@ -5,6 +5,8 @@ namespace Icinga\Application;

 require_once dirname(__FILE__) . '/ApplicationBootstrap.php';

+use Icinga\Authentication\Auth;
+use Icinga\User;
 use Icinga\Web\Request;
 use Icinga\Web\Response;
 use ipl\I18n\NoopTranslator;
@ -35,6 +37,13 @@ class EmbeddedWeb extends ApplicationBootstrap
     */
    protected $response;

+    /**
+     * User object
+     *
+     * @var ?User
+     */
+    protected ?User $user = null;
+
    /**
     * Get the request
     *
@ -65,10 +74,10 @@ class EmbeddedWeb extends ApplicationBootstrap
    protected function bootstrap()
    {
        return $this
+            ->setupLogging()
            ->setupErrorHandling()
            ->loadLibraries()
            ->loadConfig()
-            ->setupLogging()
            ->setupLogger()
            ->setupRequest()
            ->setupResponse()
@ -76,6 +85,8 @@ class EmbeddedWeb extends ApplicationBootstrap
            ->prepareFakeInternationalization()
            ->setupModuleManager()
            ->loadEnabledModules()
+            ->setupUserBackendFactory()
+            ->setupUser()
            ->registerApplicationHooks();
    }

@ -101,6 +112,27 @@ class EmbeddedWeb extends ApplicationBootstrap
        return $this;
    }

+    /**
+     * Create user object
+     *
+     * @return $this
+     */
+    protected function setupUser(): static
+    {
+        $auth = Auth::getInstance();
+        if (! $this->request->isXmlHttpRequest() && $this->request->isApiRequest() && ! $auth->isAuthenticated()) {
+            $auth->authHttp();
+        }
+
+        if ($auth->isAuthenticated()) {
+            $user = $auth->getUser();
+            $this->getRequest()->setUser($user);
+            $this->user = $user;
+        }
+
+        return $this;
+    }
+
    /**
     * Prepare fake internationalization
     *
--- a/library/Icinga/Application/Web.php
+++ b/library/Icinga/Application/Web.php
@ -16,14 +16,11 @@ use Zend_Layout;
 use Zend_Paginator;
 use Zend_View_Helper_PaginationControl;
 use Icinga\Authentication\Auth;
-use Icinga\User;
 use Icinga\Util\DirectoryIterator;
 use Icinga\Util\TimezoneDetect;
 use Icinga\Web\Controller\Dispatcher;
 use Icinga\Web\Navigation\Navigation;
 use Icinga\Web\Notification;
-use Icinga\Web\Session;
-use Icinga\Web\Session\Session as BaseSession;
 use Icinga\Web\StyleSheet;
 use Icinga\Web\View;

@ -52,20 +49,6 @@ class Web extends EmbeddedWeb
     */
    private $frontController;

-    /**
-     * Session object
-     *
-     * @var BaseSession
-     */
-    private $session;
-
-    /**
-     * User object
-     *
-     * @var User
-     */
-    private $user;
-
    /** @var array */
    protected $accessibleMenuItems;

@ -90,7 +73,6 @@ class Web extends EmbeddedWeb
            ->loadConfig()
            ->setupLogger()
            ->setupRequest()
-            ->setupSession()
            ->setupNotifications()
            ->setupResponse()
            ->setupZendMvc()
@ -313,48 +295,25 @@ class Web extends EmbeddedWeb
        return $this;
    }

-    /**
-     * Create user object
-     *
-     * @return $this
-     */
-    private function setupUser()
+    protected function setupUser(): static
    {
-        $auth = Auth::getInstance();
-        if (! $this->request->isXmlHttpRequest() && $this->request->isApiRequest() && ! $auth->isAuthenticated()) {
-            $auth->authHttp();
-        }
-        if ($auth->isAuthenticated()) {
-            $user = $auth->getUser();
-            $this->getRequest()->setUser($user);
-            $this->user = $user;
+        parent::setupUser();

-            if ($user->can('user/application/stacktraces')) {
-                $displayExceptions = $this->user->getPreferences()->getValue(
-                    'icingaweb',
-                    'show_stacktraces'
+        if ($this->user !== null && $this->user->can('user/application/stacktraces')) {
+            $displayExceptions = $this->user->getPreferences()->getValue(
+                'icingaweb',
+                'show_stacktraces'
+            );
+
+            if ($displayExceptions !== null) {
+                $this->frontController->setParams(
+                    array(
+                        'displayExceptions' => $displayExceptions
+                    )
                );
-
-                if ($displayExceptions !== null) {
-                    $this->frontController->setParams(
-                        array(
-                            'displayExceptions' => $displayExceptions
-                        )
-                    );
-                }
            }
        }
-        return $this;
-    }

-    /**
-     * Initialize a session provider
-     *
-     * @return $this
-     */
-    private function setupSession()
-    {
-        $this->session = Session::create();
        return $this;
    }