From 7c7d8c14cce76eeb6661a0e4b1d30e0cecc6fea8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Valim?= <jose.valim@dashbit.co>
Date: Wed, 18 Oct 2023 01:06:28 +0200
Subject: [PATCH] List user plug before auth

We should not allow someone to list apps
if they don't have a user.
---
 lib/livebook_web/router.ex | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/livebook_web/router.ex b/lib/livebook_web/router.ex
index 14e6f95e4d7..706543aa0b2 100644
--- a/lib/livebook_web/router.ex
+++ b/lib/livebook_web/router.ex
@@ -22,8 +22,10 @@ defmodule LivebookWeb.Router do
   end
 
   pipeline :auth do
-    plug LivebookWeb.AuthPlug
+    # If identity provider is enabled and we don't have access
+    # we don't want to show Livebook's authentication
     plug LivebookWeb.UserPlug
+    plug LivebookWeb.AuthPlug
   end
 
   pipeline :user do
@@ -141,7 +143,7 @@ defmodule LivebookWeb.Router do
   end
 
   scope "/authenticate", LivebookWeb do
-    pipe_through :browser
+    pipe_through [:browser, :user]
 
     get "/", AuthController, :index
     post "/", AuthController, :authenticate