Decoupled authentication from core and introduced as a plugin
Change-Id: I149e5f7f5ab2d833d812e6e381da8ad4b45c1ed7
diff --git a/Changes b/Changes
index 330a70c..46346ef 100755
--- a/Changes
+++ b/Changes
@@ -1,5 +1,8 @@
-0.31 2018-11-14
+0.31 2018-11-16
- Update to Mojolicious >= 8.06.
+ - Made Authentication/Authorization a separated Kalamar::Plugin::Auth
+ (deprecated moth helpers from Kalamar::Plugin::KalamarUser).
+ - Introduced abstract 'korap_request' helper.
0.30 2018-11-13
- Rewrote backend:
diff --git a/README.md b/README.md
index e0eec58..91c8f2d 100644
--- a/README.md
+++ b/README.md
@@ -172,6 +172,26 @@
in the bottom line of the user interface,
and ```loginInfo```, below the login form, if present.
+
+### Plugins
+
+Some plugins are bundled as part of Kalamar. Plugins can be loaded
+via configuration file in an array
+
+```perl
+{
+ Kalamar => {
+ plugins => ['Auth']
+ }
+}
+```
+
+Currently bundled plugins are
+- ```Auth```: For integrating user management
+ supported by [Kustvakt full](https://github.com/KorAP/Kustvakt/tree/master/full).
+- ```Piwik```: For integrating Matomo/Piwik
+
+
## COPYRIGHT AND LICENSE
### Bundled Software
diff --git a/kalamar.conf b/kalamar.conf
index 6c0461e..889a8ca 100644
--- a/kalamar.conf
+++ b/kalamar.conf
@@ -39,10 +39,6 @@
# Backend API version
# api_version => '1.0',
- # In case, the user management of Kustvakt
- # is used, make this a true value
- auth_support => 0,
-
# The name of the base corpus,
# for query examples (see kalamar.queries.dict)
# examplecorpus => 'dereko'
@@ -50,6 +46,7 @@
# For further Plugins, add them
# to this array:
# plugins => []
+ # Currently bundled: Piwik, Auth
},
# See Mojolicious::Plugin::TagHelpers::MailToChiffre
diff --git a/kalamar.dict b/kalamar.dict
index c63a78d..38fe6c2 100644
--- a/kalamar.dict
+++ b/kalamar.dict
@@ -59,14 +59,6 @@
},
privacy => 'Datenschutz',
imprint => 'Impressum',
- Auth => {
- loginSuccess => 'Anmeldung erfolgreich',
- loginFail => 'Anmeldung fehlgeschlagen',
- logoutSuccess => 'Abmeldung erfolgreich',
- logoutFail => 'Abmeldung fehlgeschlagen',
- csrfFail => 'Fehlerhafter CSRF Token',
- openRedirectFail => 'Weiterleitungsfehler'
- },
Template => {
intro => 'de/intro',
doc => {
@@ -161,14 +153,6 @@
},
privacy => 'Privacy',
imprint => 'Imprint',
- Auth => {
- loginSuccess => 'Login successful',
- loginFail => 'Access denied',
- logoutSuccess => 'Logout successful',
- logoutFail => 'Logout failed',
- csrfFail => 'Bad CSRF token',
- openRedirectFail => 'Redirect failure'
- },
Template => {
intro => 'intro',
doc => {
diff --git a/lib/Kalamar.pm b/lib/Kalamar.pm
index 232e96b..8cf581f 100644
--- a/lib/Kalamar.pm
+++ b/lib/Kalamar.pm
@@ -4,7 +4,7 @@
use Mojo::URL;
use Mojo::File;
use Mojo::JSON 'decode_json';
-use Mojo::Util qw/url_escape/;
+use Mojo::Util qw/url_escape deprecated/;
use List::Util 'none';
# Minor version - may be patched from package.json
@@ -109,11 +109,6 @@
push @{$self->static->paths}, 'dev';
};
- # Check search configuration
-
- # Set endpoint
- $self->config('Search')->{api} //= $kalamar_conf->{api};
-
# Client notifications
$self->plugin(Notifications => {
'Kalamar::Plugin::Notifications' => 1,
@@ -178,14 +173,22 @@
};
};
- # Deprecated Legacy code -
- # TODO: Remove 2019-02
+ # Deprecated Legacy code
if ($self->config('Piwik') &&
none { $_ eq 'Piwik' } @{$conf->{plugins} // []}) {
- use Data::Dumper;
- warn Dumper $self->config('Piwik');
- $self->log->error('Piwik is no longer considered a mandatory plugin');
- $self->plugin('Piwik');
+
+ # 2018-11-12
+ deprecated 'Piwik is no longer considered a mandatory plugin';
+ $self->plugin('Kalamar::Plugin::Piwik');
+ };
+
+ # Deprecated Legacy code
+ if ($self->config('Kalamar')->{auth_support} &&
+ none { $_ eq 'Auth' } @{$conf->{plugins} // []}) {
+
+ # 2018-11-16
+ deprecated 'auth_support configuration is deprecated in favor of Plugin loading';
+ $self->plugin('Kalamar::Plugin::Auth')
};
# Configure documentation navigation
@@ -197,26 +200,6 @@
# Establish routes with authentification
my $r = $self->routes;
- # Check for auth support
- $self->defaults(
- auth_support => $self->config('Kalamar')->{auth_support}
- );
-
- # Support auth
- if ($self->stash('auth_support')) {
- $r = $r->under(
- '/' => sub {
- my $c = shift;
-
- if ($c->session('auth')) {
- $c->stash(auth => $c->session('auth'));
- $c->stash(user => $c->session('user'));
- };
- return 1;
- }
- );
- };
-
# Set footer value
$self->content_block(footer => {
inline => '<%= doc_link_to "V ' . $Kalamar::VERSION . '", "korap", "kalamar" %>',
@@ -241,13 +224,6 @@
my $doc = $r->route('/corpus/:corpus_id/:doc_id');
my $text = $doc->get('/:text_id')->to('search#text_info')->name('text');
my $match = $doc->get('/:text_id/:match_id')->to('search#match_info')->name('match');
-
- # User Management
- my $user = $r->any('/user')->to(controller => 'User');
- $user->post('/login')->to(action => 'login')->name('login');
- $user->get('/logout')->to(action => 'logout')->name('logout');
- # $r->any('/register')->to(action => 'register')->name('register');
- # $r->any('/forgotten')->to(action => 'pwdforgotten')->name('pwdforgotten');
};
diff --git a/lib/Kalamar/Controller/Search.pm b/lib/Kalamar/Controller/Search.pm
index 4fba8f8..ff11115 100644
--- a/lib/Kalamar/Controller/Search.pm
+++ b/lib/Kalamar/Controller/Search.pm
@@ -112,7 +112,7 @@
if (!$cutoff && !$c->no_cache) {
# Create cache string
- my $user = $c->user->handle;
+ my $user = $c->user_handle;
my $cache_url = $url->clone;
$cache_url->query->remove('context')->remove('count')->remove('cutoff')->remove('offset');
$total_cache_str = "total-$user-" . $cache_url->to_string;
diff --git a/lib/Kalamar/Controller/User.pm b/lib/Kalamar/Controller/User.pm
deleted file mode 100644
index af199a2..0000000
--- a/lib/Kalamar/Controller/User.pm
+++ /dev/null
@@ -1,82 +0,0 @@
-package Kalamar::Controller::User;
-use Mojo::Base 'Mojolicious::Controller';
-
-# Login action
-sub login {
- my $c = shift;
-
- # Validate input
- my $v = $c->validation;
- $v->required('handle_or_email', 'trim');
- $v->required('pwd', 'trim');
- $v->csrf_protect;
- $v->optional('fwd')->closed_redirect;
-
- if ($v->has_error) {
- if ($v->has_error('fwd')) {
- $c->notify(error => $c->loc('Auth_openRedirectFail'));
- }
- elsif ($v->has_error('csrf_token')) {
- $c->notify(error => $c->loc('Auth_csrfFail'));
- }
- else {
- $c->notify(error => $c->loc('Auth_loginFail'));
- };
- }
-
- # Login user
- elsif ($c->user->login(
- $v->param('handle_or_email'),
- $v->param('pwd')
- )) {
- $c->notify(success => $c->loc('Auth_loginSuccess'));
- }
-
- else {
- $c->notify(error => $c->loc('Auth_loginFail'));
- };
-
- # Set flash for redirect
- $c->flash(handle_or_email => $v->param('handle_or_email'));
-
- # Redirect to slash
- return $c->relative_redirect_to($v->param('fwd') // 'index');
-};
-
-
-# Logout of the session
-sub logout {
- my $c = shift;
-
- # Log out of the system
- if ($c->user->logout) {
- $c->notify(success => $c->loc('Auth_logoutSuccess'));
- }
-
- # Something went wrong
- else {
- $c->notify('error', $c->loc('Auth_logoutFail'));
- };
-
- return $c->redirect_to('index');
-};
-
-
-# Currently not in used
-sub register {
- my $c = shift;
- $c->render(json => {
- response => 'register'
- });
-};
-
-
-# Currently not in use
-sub pwdforgotten {
- my $c = shift;
- $c->render(json => {
- response => 'pwdforgotten'
- });
-};
-
-1;
diff --git a/lib/Kalamar/Plugin/Auth.pm b/lib/Kalamar/Plugin/Auth.pm
new file mode 100644
index 0000000..d61d77f
--- /dev/null
+++ b/lib/Kalamar/Plugin/Auth.pm
@@ -0,0 +1,271 @@
+package Kalamar::Plugin::Auth;
+use Mojo::Base 'Mojolicious::Plugin';
+use Mojo::ByteStream 'b';
+
+# TODO:
+# Get rid of auth_support for templates!
+# TODO:
+# Make all authentification parts in templates
+# content_block aware!
+
+# Register the plugin
+sub register {
+ my ($plugin, $app, $param) = @_;
+
+
+ # Load parameter from config file
+ if (my $config_param = $app->config('Kalamar-Auth')) {
+ $param = { %$param, %$config_param };
+ };
+
+
+ # Temp
+ $app->defaults(auth_support => 1);
+
+
+ # Load 'notifications' plugin
+ unless (exists $app->renderer->helpers->{notify}) {
+ $app->plugin(Notifications => {
+ HTML => 1
+ });
+ };
+
+
+ # unless ($param->{client_id} && $param->{client_secret}) {
+ # $mojo->log->error('client_id or client_secret not defined');
+ # return;
+ # };
+
+ # TODO:
+ # Define user CHI cache
+
+ $app->plugin('Localize' => {
+ dict => {
+ Auth => {
+ _ => sub { $_->locale },
+ de => {
+ loginSuccess => 'Anmeldung erfolgreich',
+ loginFail => 'Anmeldung fehlgeschlagen',
+ logoutSuccess => 'Abmeldung erfolgreich',
+ logoutFail => 'Abmeldung fehlgeschlagen',
+ csrfFail => 'Fehlerhafter CSRF Token',
+ openRedirectFail => 'Weiterleitungsfehler'
+ },
+ -en => {
+ loginSuccess => 'Login successful',
+ loginFail => 'Access denied',
+ logoutSuccess => 'Logout successful',
+ logoutFail => 'Logout failed',
+ csrfFail => 'Bad CSRF token',
+ openRedirectFail => 'Redirect failure'
+ }
+ }
+ }
+ });
+
+
+ # Inject authorization to all korap requests
+ $app->hook(
+ before_korap_request => sub {
+ my ($c, $tx) = @_;
+ my $auth_token = $c->auth->token or return;
+ my $h = $tx->req->headers;
+ $h->header('Authorization' => $auth_token);
+ }
+ );
+
+
+ # Get the user token necessary for authorization
+ $app->helper(
+ 'auth.token' => sub {
+ my $c = shift;
+
+ # Get token from stash
+ my $token = $c->stash('auth');
+
+ return $token if $token;
+
+ # Get auth from session
+ my $auth = $c->session('auth') or return;
+
+ # Set token to stash
+ $c->stash(auth => $auth);
+
+ return $auth;
+ }
+ );
+
+
+ # Log in to the system
+ my $r = $app->routes;
+ $r->post('/user/login')->to(
+ cb => sub {
+ my $c = shift;
+
+ # Validate input
+ my $v = $c->validation;
+ $v->required('handle_or_email', 'trim');
+ $v->required('pwd', 'trim');
+ $v->csrf_protect;
+ $v->optional('fwd')->closed_redirect;
+
+ my $user = $v->param('handle_or_email');
+ my $fwd = $v->param('fwd');
+
+ # Set flash for redirect
+ $c->flash(handle_or_email => $user);
+
+ if ($v->has_error || index($user, ':') >= 0) {
+ if ($v->has_error('fwd')) {
+ $c->notify(error => $c->loc('Auth_openRedirectFail'));
+ }
+ elsif ($v->has_error('csrf_token')) {
+ $c->notify(error => $c->loc('Auth_csrfFail'));
+ }
+ else {
+ $c->notify(error => $c->loc('Auth_loginFail'));
+ };
+
+ return $c->relative_redirect_to($fwd // 'index');
+ }
+
+ my $pwd = $v->param('pwd');
+
+ $c->app->log->debug("Login from user $user:$pwd");
+
+ my $url = Mojo::URL->new($c->korap->api)->path('auth/apiToken');
+
+ # Korap request for login
+ $c->korap_request('get', $url, {
+
+ # Set authorization header
+ Authorization => 'Basic ' . b("$user:$pwd")->b64_encode->trim,
+
+ })->then(
+ sub {
+ my $tx = shift;
+
+ # Get the java token
+ my $jwt = $tx->result->json;
+
+ # No java web token
+ unless ($jwt) {
+ $c->notify(error => 'Response is no valid JWT (remote)');
+ return;
+ };
+
+ # There is an error here
+ # Dealing with errors here
+ if (my $error = $jwt->{error}) {
+ if (ref $error eq 'ARRAY') {
+ $c->notify(error => $c->dumper($_));
+ }
+ else {
+ $c->notify(error => 'There is an unknown JWT error');
+ };
+ return;
+ };
+
+ # TODO: Deal with user return values.
+ my $auth = $jwt->{token_type} . ' ' . $jwt->{token};
+
+ $c->app->log->debug(qq!Login successful: "$user" with "$auth"!);
+
+ $user = $jwt->{username} ? $jwt->{username} : $user;
+
+ # Set session info
+ $c->session(user => $user);
+ $c->session(auth => $auth);
+
+ # Set stash info
+ $c->stash(user => $user);
+ $c->stash(auth => $auth);
+
+ # Set cache
+ $c->chi('user')->set($auth => $user);
+ $c->notify(success => $c->loc('Auth_loginSuccess'));
+ }
+ )->catch(
+ sub {
+ my $e = shift;
+
+ # Notify the user
+ $c->notify(
+ error =>
+ ($e->{code} ? $e->{code} . ': ' : '') .
+ $e->{message} . ' for Login (remote)'
+ );
+
+ # Log failure
+ $c->app->log->debug(
+ ($e->{code} ? $e->{code} . ' - ' : '') .
+ $e->{message}
+ );
+
+ $c->app->log->debug(qq!Login fail: "$user"!);
+ $c->notify(error => $c->loc('Auth_loginFail'));
+ }
+ )->finally(
+ sub {
+
+ # Redirect to slash
+ return $c->relative_redirect_to($fwd // 'index');
+ }
+ )
+
+ # Start IOLoop
+ ->wait;
+
+ return 1;
+ }
+ )->name('login');
+
+
+ # Log out of the session
+ $r->get('/user/logout')->to(
+ cb => sub {
+ my $c = shift;
+
+ # TODO: csrf-protection!
+
+ # Log out of the system
+ my $url = Mojo::URL->new($c->korap->api)->path('auth/logout');
+
+ $c->korap_request(
+ 'get', $url
+ )->then(
+ # Logged out
+ sub {
+ my $tx = shift;
+ # Clear cache
+ $c->chi('user')->remove($c->auth->token);
+
+ # Expire session
+ $c->session(user => undef);
+ $c->session(auth => undef);
+ $c->notify(success => $c->loc('Auth_logoutSuccess'));
+ }
+
+ )->catch(
+ # Something went wrong
+ sub {
+ # my $err_msg = shift;
+ $c->notify('error', $c->loc('Auth_logoutFail'));
+ }
+
+ )->finally(
+ # Redirect
+ sub {
+ return $c->redirect_to('index');
+ }
+ )
+
+ # Start IOLoop
+ ->wait;
+
+ return 1;
+ }
+ )->name('logout');
+};
+
+1;
diff --git a/lib/Kalamar/Plugin/KalamarHelpers.pm b/lib/Kalamar/Plugin/KalamarHelpers.pm
index 295a04f..f5e995b 100644
--- a/lib/Kalamar/Plugin/KalamarHelpers.pm
+++ b/lib/Kalamar/Plugin/KalamarHelpers.pm
@@ -2,7 +2,7 @@
use Mojo::Base 'Mojolicious::Plugin';
use Mojo::JSON qw/decode_json true false/;
use Mojo::ByteStream 'b';
-use Mojo::Util qw/xml_escape/;
+use Mojo::Util qw/xml_escape deprecated/;
sub register {
my ($plugin, $mojo) = @_;
@@ -223,6 +223,9 @@
kalamar_test_port => sub {
my $c = shift;
+ # 2018-11-15
+ deprecated 'kalamar_test_port is deprecated and will be removed';
+
# Test port is defined in the stash
if (defined $c->stash('kalamar.test_port')) {
return $c->stash('kalamar.test_port');
@@ -240,6 +243,7 @@
return 0;
});
+
# Establish 'search_results' taghelper
# This is based on Mojolicious::Plugin::Search
$mojo->helper(
@@ -270,9 +274,11 @@
}
);
+
+ # Get the KorAP API endpoint
$mojo->helper(
'korap.api' => sub {
- return shift->config('Search')->{api};
+ return shift->config('Kalamar')->{api};
}
);
@@ -284,14 +290,18 @@
# In case the user is not known, it is assumed,
# the user is not logged in
- my $user = $c->user->handle;
+ # TODO:
+ # Make this more general
+ my $user = $c->user_handle;
# Set api request for debugging
my $cache_str = "$method-$user-" . $url->to_string;
$c->stash(api_request => $url->to_string);
+ # No cache request
if ($c->no_cache) {
- return $c->user->auth_request_p($method => $url)->then(
+
+ return $c->korap_request($method => $url)->then(
sub {
my $tx = shift;
# Catch errors and warnings
@@ -306,6 +316,9 @@
my $promise;
+ # TODO:
+ # emit_hook(after_koral_fetch => $c)
+
# Cache was found
if ($koral) {
@@ -324,7 +337,8 @@
};
# Resolve request
- return $c->user->auth_request_p($method => $url)->then(
+ # Before: user->auth_request_p
+ return $c->korap_request($method => $url)->then(
sub {
my $tx = shift;
return ($c->catch_errors_and_warnings($tx) ||
@@ -340,7 +354,6 @@
);
}
);
-
};
diff --git a/lib/Kalamar/Plugin/KalamarUser.pm b/lib/Kalamar/Plugin/KalamarUser.pm
index 4cf7642..d0340e8 100644
--- a/lib/Kalamar/Plugin/KalamarUser.pm
+++ b/lib/Kalamar/Plugin/KalamarUser.pm
@@ -1,12 +1,15 @@
package Kalamar::Plugin::KalamarUser;
use Mojo::Base 'Mojolicious::Plugin';
+use Mojo::Util qw/deprecated/;
use Mojo::Promise;
use Mojo::ByteStream 'b';
has 'api';
has 'ua';
-# TODO: Merge with meta-button
+# TODO:
+# This Plugin will be removed in favour of
+# Kalamar::Plugin::Auth!
sub register {
my ($plugin, $mojo, $param) = @_;
@@ -34,11 +37,79 @@
# Set app to server
$plugin->ua->server->app($mojo);
+ # Get user handle
+ $mojo->helper(
+ 'user_handle' => sub {
+ my $c = shift;
+
+ # Get from stash
+ my $user = $c->stash('user');
+ return $user if $user;
+
+ # Get from session
+ $user = $c->session('user');
+
+ # Set in stash
+ if ($user) {
+ $c->stash(user => $user);
+ return $user;
+ };
+
+ return 'not_logged_in';
+ }
+ );
+
+ # This is a new general korap_request helper,
+ # that can trigger some hooks for, e.g., authentication
+ # or analysis. It returns a promise.
+ $mojo->helper(
+ 'korap_request' => sub {
+ my $c = shift;
+ my $method = shift;
+ my $path = shift;
+
+ # Get plugin user agent
+ my $ua = $plugin->ua;
+
+ my $url = Mojo::URL->new($path);
+ my $tx = $ua->build_tx(uc($method), $url, @_);
+
+ # Set X-Forwarded for
+ $tx->req->headers->header(
+ 'X-Forwarded-For' => $c->client_ip
+ );
+
+
+ # Emit Hook to alter request
+ $c->app->plugins->emit_hook(
+ before_korap_request => ($c, $tx)
+ );
+
+ return $ua->start_p($tx);
+ }
+ );
+
+ #############################################
+ # WARNING! #
+ # The following helpers are all deprecated: #
+ #############################################
+
+ $mojo->helper(
+ 'user.handle' => sub {
+
+ # 2018-11-16
+ deprecated 'user.handle is deprecated in favour of user_handle!';
+ return shift->user_handle;
+ });
+
# Get the user token necessary for authorization
$mojo->helper(
'user_auth' => sub {
my $c = shift;
+ # 2018-11-16
+ deprecated 'user_auth is deprecated in favour of auth->token!';
+
# Get token from stash
my $token = $c->stash('auth');
@@ -56,6 +127,10 @@
$mojo->helper(
'user.ua' => sub {
+
+ # 2018-11-15
+ deprecated 'user->ua is deprecated!';
+
my $c = shift;
my $auth = $c->user_auth;
@@ -86,33 +161,15 @@
}
);
- # Get user handle
- $mojo->helper(
- 'user.handle' => sub {
- my $c = shift;
-
- # Get from stash
- my $user = $c->stash('user');
- return $user if $user;
-
- # Get from session
- $user = $c->session('user');
-
- # Set in stash
- if ($user) {
- $c->stash(user => $user);
- return $user;
- };
-
- return 'not_logged_in';
- }
- );
-
# Request with authorization header
$mojo->helper(
'user.auth_request' => sub {
my $c = shift;
+
+ # 2018-11-15
+ deprecated 'user->auth_request is deprecated!';
+
my $method = shift;
my $path = shift;
@@ -144,10 +201,14 @@
# return a promise
$mojo->helper(
'user.auth_request_p' => sub {
- my $c = shift;
+ my $c = shift;
my $method = shift;
- my $path = shift;
+ my $path = shift;
+ # 2018-11-16
+ deprecated 'user->auth_request_p is deprecated!';
+
+ # Get plugin user agent
my $ua = $plugin->ua;
my $tx;
@@ -175,6 +236,9 @@
my $c = shift;
my ($user, $pwd) = @_;
+ # 2018-11-16
+ deprecated 'user->login is deprecated!';
+
return if (index($user, ':') >= 0);
$c->app->log->debug("Login from user $user:$pwd");
@@ -350,6 +414,9 @@
'user.logout' => sub {
my $c = shift;
+ # 2018-11-16
+ deprecated 'user->logout is deprecated!';
+
# TODO: csrf-protection!
my $url = Mojo::URL->new($plugin->api)->path('auth/logout');
diff --git a/t/user.t b/t/plugin/auth.t
similarity index 94%
rename from t/user.t
rename to t/plugin/auth.t
index 665a623..ff5988e 100644
--- a/t/user.t
+++ b/t/plugin/auth.t
@@ -11,12 +11,16 @@
my $mount_point = '/api/';
$ENV{KALAMAR_API} = $mount_point;
-my $t = Test::Mojo->new('Kalamar');
-$t->app->defaults('auth_support' => 1);
+my $t = Test::Mojo->new('Kalamar' => {
+ Kalamar => {
+ auth_support => 1,
+ plugins => ['Auth']
+ }
+});
# Mount fake backend
# Get the fixture path
-my $fixtures_path = path(Mojo::File->new(__FILE__)->dirname, 'server');
+my $fixtures_path = path(Mojo::File->new(__FILE__)->dirname, '..', 'server');
my $fake_backend = $t->app->plugin(
Mount => {
$mount_point =>
@@ -26,7 +30,6 @@
# Configure fake backend
$fake_backend->pattern->defaults->{app}->log($t->app->log);
-
$t->get_ok('/api')
->status_is(200)
->content_is('Fake server available');
@@ -62,13 +65,13 @@
->tx->res->dom->at('input[name=csrf_token]')->attr('value')
;
-
$t->post_ok('/user/login' => form => {
handle_or_email => 'test',
pwd => 'pass',
csrf_token => $csrf
})
->status_is(302)
+ ->content_is('')
->header_is('Location' => '/');
$t->get_ok('/')
diff --git a/templates/layouts/main.html.ep b/templates/layouts/main.html.ep
index 88c364d..1ddb271 100644
--- a/templates/layouts/main.html.ep
+++ b/templates/layouts/main.html.ep
@@ -82,6 +82,6 @@
% };
%= notifications 'Kalamar::Plugin::Notifications'
+ %= content_block 'scripts'
</body>
- %= content_block 'scripts'
</html>
diff --git a/templates/partial/side.html.ep b/templates/partial/side.html.ep
index 3212adf..d0a5470 100644
--- a/templates/partial/side.html.ep
+++ b/templates/partial/side.html.ep
@@ -1,5 +1,5 @@
%# # user not logged in
-% if (!stash('documentation') && !$embedded && !user_auth && stash('auth_support')) {
+% if (!stash('documentation') && !$embedded && stash('auth_support') && !$c->auth->token) {
% content_for 'sidebar', begin
% if (flash('handle_or_email') && !param('handle_or_email')) {
% param(handle_or_email => flash('handle_or_email'));