From cf31ce0f5f0094203180597e347887a634f32b86 Mon Sep 17 00:00:00 2001
From: oppiliappan <me@oppi.li>
Date: Wed, 29 Oct 2025 12:54:57 +0000
Subject: [PATCH] appview/oauth: use ResumeSession when fetching currently
 logged in user
Change-Id: orvkryxksqszkmzorvmzpwywvutyruus

the final addition to my collection of oauth fixes: the session cookie
is not a sufficient indication of a logged-in-ness of a user, we
additionally validate this cookie against the session on redis using
ResumeSession and kick users out if their session is invalid.

previously, a user may have appeared to be logged in (via the profile
picture on the top right), but creating an auth'd request would have
login-prompted them.

Signed-off-by: oppiliappan <me@oppi.li>
---
 appview/oauth/oauth.go | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/appview/oauth/oauth.go b/appview/oauth/oauth.go
index 159c3fad..e5ad48df 100644
--- a/appview/oauth/oauth.go
+++ b/appview/oauth/oauth.go
@@ -164,15 +164,14 @@ type User struct {
 }
 
 func (o *OAuth) GetUser(r *http.Request) *User {
-	sess, err := o.SessStore.Get(r, SessionName)
-
-	if err != nil || sess.IsNew {
+	sess, err := o.ResumeSession(r)
+	if err != nil {
 		return nil
 	}
 
 	return &User{
-		Did: sess.Values[SessionDid].(string),
-		Pds: sess.Values[SessionPds].(string),
+		Did: sess.Data.AccountDID.String(),
+		Pds: sess.Data.HostURL,
 	}
 }
 
-- 
2.43.0