appview/oauth: use ResumeSession when fetching currently logged in user #723

merged

opened by

oppi.li 1 month ago targeting master from push-orvkryxksqsz

the final addition to my collection of oauth fixes: the session cookie is not a sufficient indication of a logged-in-ness of a user, we additionally validate this cookie against the session on redis using ResumeSession and kick users out if their session is invalid.

previously, a user may have appeared to be logged in (via the profile picture on the top right), but creating an auth'd request would have login-prompted them.

Signed-off-by: oppiliappan me@oppi.li

options

unified split

Changed files

+4 -5

appview

oauth

oauth.go

+4 -5

appview/oauth/oauth.go

···

       164
       164
        
       }

     

       165
       165
        
       

     

       166
       166
        
       func (o *OAuth) GetUser(r *http.Request) *User {

     

       167
       167
       -
       	sess, err := o.SessStore.Get(r, SessionName)

     

       168
       168
       -
       

     

       169
       169
       -
       	if err != nil || sess.IsNew {

     

       167
       167
       +
       	sess, err := o.ResumeSession(r)

     

       168
       168
       +
       	if err != nil {

     

       170
       169
        
       		return nil

     

       171
       170
        
       	}

     

       172
       171
        
       

     

       173
       172
        
       	return &User{

     

       174
       174
       -
       		Did: sess.Values[SessionDid].(string),

     

       175
       175
       -
       		Pds: sess.Values[SessionPds].(string),

     

       173
       173
       +
       		Did: sess.Data.AccountDID.String(),

     

       174
       174
       +
       		Pds: sess.Data.HostURL,

     

       176
       175
        
       	}

     

       177
       176
        
       }

     

       178
       177