Fix bug where auth token is not set from cookie when excluded endpoint (#1360)

Co-authored-by: Ben Toogood <ben@micro.mu>

api/server/auth/auth.go

@@ -31,11 +31,26 @@ const (
 )
 
 func (h authHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
-	loginURL := h.auth.Options().LoginURL
+	// Extract the token from the request
+	var token string
+	if header := req.Header.Get("Authorization"); len(header) > 0 {
+		// Extract the auth token from the request
+		if strings.HasPrefix(header, BearerScheme) {
+			token = header[len(BearerScheme):]
+		}
+	} else {
+		// Get the token out the cookies if not provided in headers
+		if c, err := req.Cookie("micro-token"); err == nil && c != nil {
+			token = strings.TrimPrefix(c.Value, auth.CookieName+"=")
+			req.Header.Set("Authorization", BearerScheme+token)
+		}
+	}
 
 	// Return if the user disabled auth on this endpoint
 	excludes := h.auth.Options().Exclude
 	excludes = append(excludes, DefaultExcludes...)
+
+	loginURL := h.auth.Options().LoginURL
 	if len(loginURL) > 0 {
 		excludes = append(excludes, loginURL)
 	}
@@ -55,20 +70,6 @@ func (h authHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 		}
 	}
 
-	var token string
-	if header := req.Header.Get("Authorization"); len(header) > 0 {
-		// Extract the auth token from the request
-		if strings.HasPrefix(header, BearerScheme) {
-			token = header[len(BearerScheme):]
-		}
-	} else {
-		// Get the token out the cookies if not provided in headers
-		if c, err := req.Cookie("micro-token"); err == nil && c != nil {
-			token = strings.TrimPrefix(c.Value, auth.CookieName+"=")
-			req.Header.Set("Authorization", BearerScheme+token)
-		}
-	}
-
 	// If the token is valid, allow the request
 	if _, err := h.auth.Verify(token); err == nil {
 		h.handler.ServeHTTP(w, req)