fix: strict same site mode breaks redirects

3 files changed, 40 insertions, 14 deletions

diff --git a/app/controllers/dashboard/controller_test.go b/app/controllers/dashboard/controller_test.go
index f6b2f43..30a9acc 100644
--- a/app/controllers/dashboard/controller_test.go
+++ b/app/controllers/dashboard/controller_test.go
@@ -18,26 +18,54 @@ func TestController(t *testing.T) {
 
 	t.Run("GET /dashboard", func(t *testing.T) {
 		t.Run("when unauthenticated", func(t *testing.T) {
-			t.Run("redirects to the home page", func(t *testing.T) {
-				r, w := test.RequestResponse("GET", "/dashboard")
+			r, w := test.RequestResponse("GET", "/dashboard")
 
-				mux.ServeHTTP(w, r)
+			mux.ServeHTTP(w, r)
 
-				require.Equal(t, http.StatusFound, w.Code)
-				assert.Equal(t, "/", w.Header().Get("Location"))
+			t.Run("redirects to the home page", func(t *testing.T) {
+				require.Equal(t, http.StatusNotFound, w.Code)
 			})
 		})
 
 		t.Run("when authenticated", func(t *testing.T) {
-			t.Run("renders a dashboard page", func(t *testing.T) {
-				ctx := cfg.CurrentUser.With(t.Context(), &domain.User{})
-				r, w := test.RequestResponse("GET", "/dashboard", test.WithContext(ctx))
+			ctx := cfg.CurrentUser.With(t.Context(), &domain.User{})
+			r, w := test.RequestResponse("GET", "/dashboard", test.WithContext(ctx))
+			mux.ServeHTTP(w, r)
 
-				mux.ServeHTTP(w, r)
+			t.Run("renders a dashboard page", func(t *testing.T) {
 				assert.Equal(t, http.StatusOK, w.Code)
 				assert.Equal(t, "text/html", w.Header().Get("Content-Type"))
 				assert.Contains(t, w.Body.String(), "<html")
 			})
 		})
 	})
+
+	t.Run("GET /dashboard/nav", func(t *testing.T) {
+		t.Run("when unauthenticated", func(t *testing.T) {
+			r, w := test.RequestResponse("GET", "/dashboard/nav")
+
+			mux.ServeHTTP(w, r)
+
+			t.Run("renders the site header", func(t *testing.T) {
+				assert.Equal(t, http.StatusOK, w.Code)
+				assert.Equal(t, "text/html", w.Header().Get("Content-Type"))
+				assert.Contains(t, w.Body.String(), "Login")
+			})
+		})
+
+		t.Run("when authenticated", func(t *testing.T) {
+			ctx := cfg.CurrentUser.With(t.Context(), &domain.User{
+				Username: "root",
+			})
+			r, w := test.RequestResponse("GET", "/dashboard/nav", test.WithContext(ctx))
+			mux.ServeHTTP(w, r)
+
+			t.Run("renders the site header", func(t *testing.T) {
+				assert.Equal(t, http.StatusOK, w.Code)
+				assert.Equal(t, "text/html", w.Header().Get("Content-Type"))
+				assert.Contains(t, w.Body.String(), "root")
+			})
+		})
+	})
+
 }
diff --git a/app/middleware/require_user.go b/app/middleware/require_user.go
index 8f54a04..d0d5355 100644
--- a/app/middleware/require_user.go
+++ b/app/middleware/require_user.go
@@ -10,7 +10,7 @@ func RequireUser() func(http.Handler) http.Handler {
 			if IsLoggedIn(r) {
 				next.ServeHTTP(w, r)
 			} else {
-				http.Redirect(w, r, "/", http.StatusFound)
+				w.WriteHeader(http.StatusNotFound)
 			}
 		})
 	}
diff --git a/app/middleware/require_user_test.go b/app/middleware/require_user_test.go
index 794f347..92734b2 100644
--- a/app/middleware/require_user_test.go
+++ b/app/middleware/require_user_test.go
@@ -4,7 +4,6 @@ import (
 	"net/http"
 	"testing"
 
-	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
 	"gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
@@ -15,7 +14,7 @@ func TestRequireUser(t *testing.T) {
 	middleware := RequireUser()
 
 	t.Run("when a user is not logged in", func(t *testing.T) {
-		t.Run("redirects to the homepage", func(t *testing.T) {
+		t.Run("returns a 404 status", func(t *testing.T) {
 			r, w := test.RequestResponse("GET", "/example")
 
 			server := middleware(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
@@ -23,8 +22,7 @@ func TestRequireUser(t *testing.T) {
 			}))
 			server.ServeHTTP(w, r)
 
-			require.Equal(t, http.StatusFound, w.Code)
-			assert.Equal(t, "/", w.Header().Get("Location"))
+			require.Equal(t, http.StatusNotFound, w.Code)
 		})
 	})