From 1b673f049f7dd9f04c444e0895c89335a14dc470 Mon Sep 17 00:00:00 2001
From: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Date: Thu, 12 Mar 2026 09:58:29 -0700
Subject: [PATCH] remove defer in AuthenticateByCertificate (#2355)

Makes the control flow unnecessarily confusing now that the check
is its own function.
---
 irc/accounts.go | 27 ++++++++++-----------------
 1 file changed, 10 insertions(+), 17 deletions(-)

diff --git a/irc/accounts.go b/irc/accounts.go
index a366d7fb..eda27657 100644
--- a/irc/accounts.go
+++ b/irc/accounts.go
@@ -2035,25 +2035,18 @@ func (am *AccountManager) AuthenticateByCertificate(client *Client, certfp strin
 		return errAccountInvalidCredentials
 	}
 
-	var clientAccount ClientAccount
-
-	defer func() {
-		if err != nil {
+	clientAccount, err := am.checkCertAuth(client.IP(), certfp, peerCerts, authzid)
+	if err != nil {
+		return
+	}
+	if client.registered {
+		if clientAlready := am.server.clients.Get(clientAccount.Name); clientAlready != nil && clientAlready.AlwaysOn() {
+			err = errNickAccountMismatch
 			return
 		}
-		// TODO(#1109) clean this check up?
-		if client.registered {
-			if clientAlready := am.server.clients.Get(clientAccount.Name); clientAlready != nil && clientAlready.AlwaysOn() {
-				err = errNickAccountMismatch
-				return
-			}
-		}
-		am.Login(client, clientAccount)
-		return
-	}()
-
-	clientAccount, err = am.checkCertAuth(client.IP(), certfp, peerCerts, authzid)
-	return err
+	}
+	am.Login(client, clientAccount)
+	return
 }
 
 func (am *AccountManager) checkCertAuth(ip net.IP, certfp string, peerCerts []*x509.Certificate, authzid string) (clientAccount ClientAccount, err error) {