From d89fc44c03fa6db40544e0549a35df7db5e52020 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Thu, 30 Dec 2021 16:14:33 -0500
Subject: [PATCH] fix: move authenticateRequest before interstitial and
 maintenance mode middlewares, allowed plugins to disable authentication on
 certain routes

fixes #10112
---
 src/middleware/user.js | 16 ++++++++++++++++
 src/routes/helpers.js  |  2 +-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/middleware/user.js b/src/middleware/user.js
index 6cfeca7039..f43b77c060 100644
--- a/src/middleware/user.js
+++ b/src/middleware/user.js
@@ -2,6 +2,8 @@
 
 const winston = require('winston');
 const passport = require('passport');
+const nconf = require('nconf');
+const path = require('path');
 const util = require('util');
 
 const user = require('../user');
@@ -81,6 +83,20 @@ module.exports = function (middleware) {
 	}
 
 	middleware.authenticateRequest = helpers.try(async (req, res, next) => {
+		const { skip } = await plugins.hooks.fire('filter:middleware.authenticate', {
+			skip: {
+				// get: [],
+				post: ['/api/v3/utilities/login'],
+				// etc...
+			},
+		});
+
+		const mountedPath = path.join(req.baseUrl, req.path).replace(nconf.get('relative_path'), '');
+		const method = req.method.toLowerCase();
+		if (skip[method] && skip[method].includes(mountedPath)) {
+			return next();
+		}
+
 		if (!await authenticate(req, res)) {
 			return;
 		}
diff --git a/src/routes/helpers.js b/src/routes/helpers.js
index b6ed0a7d2b..8bcad07b22 100644
--- a/src/routes/helpers.js
+++ b/src/routes/helpers.js
@@ -15,9 +15,9 @@ function _handleArgs(middleware, middlewares, controller) {
 	}
 
 	middlewares = [
+		middleware.authenticateRequest,
 		middleware.maintenanceMode,
 		middleware.registrationComplete,
-		middleware.authenticateRequest,
 		middleware.pluginHooks,
 		...middlewares,
 	];