From 597d1304fdeace6adc0a630d93c2ac39136c451b Mon Sep 17 00:00:00 2001
From: evazion <noizave@gmail.com>
Date: Thu, 26 Mar 2020 22:43:34 -0500
Subject: [PATCH] sessions: fixup bugs in b2cf765d6.

Deal with the cases where either the `login` param is given without the
`api_key`, or the `api_key` is given with the `login`.
---
 app/logical/session_loader.rb | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/app/logical/session_loader.rb b/app/logical/session_loader.rb
index 05c2ffdc7..d4ecf45d1 100644
--- a/app/logical/session_loader.rb
+++ b/app/logical/session_loader.rb
@@ -57,6 +57,8 @@ class SessionLoader
       authenticate_basic_auth
     elsif params[:login].present? && params[:api_key].present?
       authenticate_api_key(params[:login], params[:api_key])
+    else
+      raise AuthenticationFailure
     end
   end
 
@@ -68,8 +70,9 @@ class SessionLoader
   end
 
   def authenticate_api_key(name, api_key)
-    CurrentUser.user = User.find_by_name(name)&.authenticate_api_key(api_key)
-    raise AuthenticationFailure unless Currentuser.user.present?
+    user = User.find_by_name(name)&.authenticate_api_key(api_key)
+    raise AuthenticationFailure if user.blank?
+    CurrentUser.user = user
   end
 
   def load_param_user(signed_user_id)