HumanSecurity · yaronschwimmer · Jul 31, 2018 · Jul 31, 2018
diff --git a/lib/pxenforcer.js b/lib/pxenforcer.js
@@ -133,6 +133,15 @@ class PxEnforcer {
 
 
     handleVerification(pxCtx, pxConfig, req, res, cb) {
+        const verified = pxCtx.score < pxConfig.BLOCKING_SCORE;
+
+        // Handle async activities
+        if (verified) {
+            this.pxPass(pxCtx);
+        } else {
+            this.pxBlock(pxCtx, pxConfig);
+        }
+
         // check for additional activity handler
         if (pxConfig.ADDITIONAL_ACTIVITY_HANDLER) {
             pxConfig.ADDITIONAL_ACTIVITY_HANDLER(pxCtx, pxConfig);
@@ -150,63 +159,58 @@ class PxEnforcer {
                     return cb(null, result);
                 }
             }
-
         }
-        if (pxCtx.score < pxConfig.BLOCKING_SCORE) {
-            this.pxPass(pxCtx);
+
+         // If verified, pass the request here
+        if (verified || pxConfig.MODULE_MODE === pxConfig.MONITOR_MODE.MONITOR) {
             return cb();
-        } else {
-            this.pxBlock(pxCtx, pxConfig);
-            if (pxConfig.MODULE_MODE === pxConfig.MONITOR_MODE.MONITOR) {
-                return cb();
-            }
+        }
 
-            const acceptHeaderValue = req.headers["accept"] || req.headers["content-type"];
-            const isJsonResponse = acceptHeaderValue && acceptHeaderValue.split(',').find((value) => value.toLowerCase() === "application/json") && pxCtx.cookieOrigin === "cookie" && pxCtx.blockAction !== 'r';
+        const acceptHeaderValue = req.headers["accept"] || req.headers["content-type"];
+        const isJsonResponse = acceptHeaderValue && acceptHeaderValue.split(',').find((value) => value.toLowerCase() === "application/json") && pxCtx.cookieOrigin === "cookie" && pxCtx.blockAction !== 'r';
 
-            pxLogger.debug(`Enforcing action:  ${pxUtil.parseAction(pxCtx.blockAction)} page is served ${isJsonResponse ? "using advanced protection mode" : ""}`);
-            this.generateResponse(pxCtx, pxConfig, isJsonResponse, function (responseObject) {
-                const response = {
-                    status: '403',
-                    statusDescription: "Forbidden"
-                };
+        pxLogger.debug(`Enforcing action:  ${pxUtil.parseAction(pxCtx.blockAction)} page is served ${isJsonResponse ? "using advanced protection mode" : ""}`);
+        this.generateResponse(pxCtx, pxConfig, isJsonResponse, function (responseObject) {
+            const response = {
+                status: '403',
+                statusDescription: "Forbidden"
+            };
 
-                if (pxCtx.blockAction === 'r') {
-                    response.status = '429';
-                    response.statusDescription = "Too Many Requests";
-                }
+            if (pxCtx.blockAction === 'r') {
+                response.status = '429';
+                response.statusDescription = "Too Many Requests";
+            }
 
-                if (isJsonResponse) {
-                    response.header = {key: 'Content-Type', value: 'application/json'};
-                    response.body = {
-                        appId: responseObject.appId,
-                        jsClientSrc: responseObject.jsClientSrc,
-                        firstPartyEnabled: responseObject.firstPartyEnabled,
-                        vid: responseObject.vid,
-                        uuid: responseObject.uuid,
-                        hostUrl: responseObject.hostUrl,
-                        blockScript: responseObject.blockScript
-                    }
-                    return cb(null, response);
+            if (isJsonResponse) {
+                response.header = {key: 'Content-Type', value: 'application/json'};
+                response.body = {
+                    appId: responseObject.appId,
+                    jsClientSrc: responseObject.jsClientSrc,
+                    firstPartyEnabled: responseObject.firstPartyEnabled,
+                    vid: responseObject.vid,
+                    uuid: responseObject.uuid,
+                    hostUrl: responseObject.hostUrl,
+                    blockScript: responseObject.blockScript
                 }
+                return cb(null, response);
+            }
 
-                response.header = {key: 'Content-Type', value: 'text/html'};
-                response.body = responseObject;
-
-                if (pxCtx.cookieOrigin !== "cookie") {
-                    response.header = {key: 'Content-Type', value: 'application/json'};
-                    response.body = {
-                        action: pxUtil.parseAction(pxCtx.blockAction),
-                        uuid: pxCtx.uuid,
-                        vid: pxCtx.vid,
-                        appId: pxConfig.PX_APP_ID,
-                        page: new Buffer(responseObject).toString('base64'),
-                        collectorUrl: pxCtx.collectorUrl
-                    }
+            response.header = {key: 'Content-Type', value: 'text/html'};
+            response.body = responseObject;
+
+            if (pxCtx.cookieOrigin !== "cookie") {
+                response.header = {key: 'Content-Type', value: 'application/json'};
+                response.body = {
+                    action: pxUtil.parseAction(pxCtx.blockAction),
+                    uuid: pxCtx.uuid,
+                    vid: pxCtx.vid,
+                    appId: pxConfig.PX_APP_ID,
+                    page: new Buffer(responseObject).toString('base64'),
+                    collectorUrl: pxCtx.collectorUrl
                 }
-                cb(null, response);
-            });
-        }
+            }
+            cb(null, response);
+        });
     }
 
     get config() {