internal/auth/delivery/http/auth_http.go

@@ -51,7 +51,7 @@ func (h *Handler) Handler() http.Handler {
 			Skipper: func(w http.ResponseWriter, r *http.Request) bool {
 				head, _ := urlutil.ShiftPath(r.URL.Path)
 
-				return head == ""
+				return r.Method == http.MethodPost && head == ""
 			},
 			CookieMaxAge:   0,
 			CookieSameSite: http.SameSiteStrictMode,
@@ -68,11 +68,9 @@ func (h *Handler) Handler() http.Handler {
 			Skipper: func(w http.ResponseWriter, r *http.Request) bool {
 				head, _ := urlutil.ShiftPath(r.URL.Path)
 
-				return r.Method != http.MethodPost ||
-					head != "verify" ||
-					r.PostFormValue("authorize") == "deny"
+				return r.Method != http.MethodPost || head != "verify"
 			},
-			Validator: func(_ http.ResponseWriter, _ *http.Request, login, password string) (bool, error) {
+			Validator: func(w http.ResponseWriter, r *http.Request, login, password string) (bool, error) {
 				userMatch := subtle.ConstantTimeCompare([]byte(login),
 					[]byte(h.config.IndieAuth.Username))
 				passMatch := subtle.ConstantTimeCompare([]byte(password),
@@ -85,7 +83,8 @@ func (h *Handler) Handler() http.Handler {
 	}
 
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		head, _ := urlutil.ShiftPath(r.URL.Path)
+		var head string
+		head, r.URL.Path = urlutil.ShiftPath(r.URL.Path)
 
 		switch r.Method {
 		default: