fix(ldap): add Close() method and defer conn.Close() at all call sites

LDAP connections were never closed, leaking TCP connections on every request. Also refactors change.go from chained else-if to early returns for cleaner defer placement. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 14:40:40 +07:00 · 2026-03-16 14:40:40 +07:00 · 4a68d0700d
commit 4a68d0700d
parent 71805cf65c
7 changed files with 57 additions and 24 deletions
--- a/change.go
+++ b/change.go
@ -67,31 +67,51 @@ func changePassword(w http.ResponseWriter, r *http.Request) {
 	// Check the two new passwords are identical
 	if r.PostFormValue("newpassword") != r.PostFormValue("new2password") {
 		renderError(http.StatusNotAcceptable, "New passwords are not identical. Please retry.")
-	} else if len(r.PostFormValue("login")) == 0 {
-		renderError(http.StatusNotAcceptable, "Please provide a valid login")
-	} else if err := checkPasswdConstraint(r.PostFormValue("newpassword")); err != nil {
-		renderError(http.StatusNotAcceptable, "The password you chose doesn't respect all constraints: "+err.Error())
-	} else {
-		conn, err := myLDAP.Connect()
-		if err != nil || conn == nil {
-			log.Println(err)
-			renderError(http.StatusInternalServerError, "Unable to process your request. Please try again later.")
-		} else if err := conn.ServiceBind(); err != nil {
-			log.Println(err)
-			renderError(http.StatusInternalServerError, "Unable to process your request. Please try again later.")
-		} else if dn, err := conn.SearchDN(r.PostFormValue("login"), true); err != nil {
-			log.Println(err)
-			// User not found: perform a dummy bind to prevent username enumeration via timing.
-			conn.Bind("cn=dummy,"+myLDAP.BaseDN, r.PostFormValue("password"))
-			renderError(http.StatusUnauthorized, "Invalid login or password.")
-		} else if err := conn.Bind(dn, r.PostFormValue("password")); err != nil {
-			log.Println(err)
-			renderError(http.StatusUnauthorized, "Invalid login or password.")
-		} else if err := conn.ChangePassword(dn, r.PostFormValue("newpassword")); err != nil {
-			log.Println(err)
-			renderError(http.StatusInternalServerError, "Unable to process your request. Please try again later.")
-		} else {
-			displayMsg(w, "Password successfully changed!", http.StatusOK)
-		}
+		return
 	}
+	if len(r.PostFormValue("login")) == 0 {
+		renderError(http.StatusNotAcceptable, "Please provide a valid login")
+		return
+	}
+	if err := checkPasswdConstraint(r.PostFormValue("newpassword")); err != nil {
+		renderError(http.StatusNotAcceptable, "The password you chose doesn't respect all constraints: "+err.Error())
+		return
+	}
+
+	conn, err := myLDAP.Connect()
+	if err != nil || conn == nil {
+		log.Println(err)
+		renderError(http.StatusInternalServerError, "Unable to process your request. Please try again later.")
+		return
+	}
+	defer conn.Close()
+
+	if err := conn.ServiceBind(); err != nil {
+		log.Println(err)
+		renderError(http.StatusInternalServerError, "Unable to process your request. Please try again later.")
+		return
+	}
+
+	dn, err := conn.SearchDN(r.PostFormValue("login"), true)
+	if err != nil {
+		log.Println(err)
+		// User not found: perform a dummy bind to prevent username enumeration via timing.
+		conn.Bind("cn=dummy,"+myLDAP.BaseDN, r.PostFormValue("password"))
+		renderError(http.StatusUnauthorized, "Invalid login or password.")
+		return
+	}
+
+	if err := conn.Bind(dn, r.PostFormValue("password")); err != nil {
+		log.Println(err)
+		renderError(http.StatusUnauthorized, "Invalid login or password.")
+		return
+	}
+
+	if err := conn.ChangePassword(dn, r.PostFormValue("newpassword")); err != nil {
+		log.Println(err)
+		renderError(http.StatusInternalServerError, "Unable to process your request. Please try again later.")
+		return
+	}
+
+	displayMsg(w, "Password successfully changed!", http.StatusOK)
 }