commit 7270d3ae211aee6114e6539d9128c6b2ec47c221 · julien.rbrt.fr/tangled-core

Monorepo for Tangled — https://tangled.org

appview/oauth: use ResumeSession when fetching currently logged in user

the final addition to my collection of oauth fixes: the session cookie
is not a sufficient indication of a logged-in-ness of a user, we
additionally validate this cookie against the session on redis using
ResumeSession and kick users out if their session is invalid.

previously, a user may have appeared to be logged in (via the profile
picture on the top right), but creating an auth'd request would have
login-prompted them.

Signed-off-by: oppiliappan <me@oppi.li>

oppi.li 1 month ago 7270d3ae ee08cd02

options

unified split

Changed files

+4 -5

appview

oauth

oauth.go

+4 -5

appview/oauth/oauth.go

···

       164
       164
        
       }

     

       165
       165
        
       

     

       166
       166
        
       func (o *OAuth) GetUser(r *http.Request) *User {

     

       167
       167
       -
       	sess, err := o.SessStore.Get(r, SessionName)

     

       168
       168
       -
       

     

       169
       169
       -
       	if err != nil || sess.IsNew {

     

       167
       167
       +
       	sess, err := o.ResumeSession(r)

     

       168
       168
       +
       	if err != nil {

     

       170
       169
        
       		return nil

     

       171
       170
        
       	}

     

       172
       171
        
       

     

       173
       172
        
       	return &User{

     

       174
       174
       -
       		Did: sess.Values[SessionDid].(string),

     

       175
       175
       -
       		Pds: sess.Values[SessionPds].(string),

     

       173
       173
       +
       		Did: sess.Data.AccountDID.String(),

     

       174
       174
       +
       		Pds: sess.Data.HostURL,

     

       176
       175
        
       	}

     

       177
       176
        
       }

     

       178
       177