From d17e3fee08a0f262e8a529347e2bccf3063371e7 Mon Sep 17 00:00:00 2001
From: Jesse Chan <jc@linux.com>
Date: Sun, 11 Oct 2020 00:30:24 +0800
Subject: [PATCH] server: auth: fix subsequent user creation

---
 server/routes/api/auth.ts | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

diff --git a/server/routes/api/auth.ts b/server/routes/api/auth.ts
index 9934b00a..8c482a8a 100644
--- a/server/routes/api/auth.ts
+++ b/server/routes/api/auth.ts
@@ -5,7 +5,7 @@ import passport from 'passport';
 
 import type {Response} from 'express';
 import type {AuthRegisterOptions, AuthUpdateUserOptions} from '@shared/types/api/auth';
-import type {Credentials} from '@shared/types/Auth';
+import type {Credentials, UserInDatabase} from '@shared/types/Auth';
 
 import ajaxUtil from '../../util/ajaxUtil';
 import config from '../../../config';
@@ -93,16 +93,21 @@ router.post('/authenticate', (req, res) => {
 });
 
 // Allow unauthenticated registration if no users are currently registered.
-router.use('/register', (req, _res, next) => {
+router.use('/register', (req, res, next) => {
   Users.initialUserGate({
     handleInitialUser: () => {
       next();
     },
     handleSubsequentUser: () => {
-      passport.authenticate('jwt', {session: false}, (passportReq, passportRes) => {
+      passport.authenticate('jwt', {session: false}, (err, user: UserInDatabase) => {
+        if (err || !user) {
+          res.status(401).send('Unauthorized');
+          return;
+        }
+        req.user = user;
         // Only admin users can create users
-        requireAdmin(passportReq, passportRes, next);
-      });
+        requireAdmin(req, res, next);
+      })(req, res, next);
     },
   });
 });