commit 7270d3ae211aee6114e6539d9128c6b2ec47c221 · besaid.zone/core

besaid.zone / core

Monorepo for Tangled

appview/oauth: use ResumeSession when fetching currently logged in user

the final addition to my collection of oauth fixes: the session cookie
is not a sufficient indication of a logged-in-ness of a user, we
additionally validate this cookie against the session on redis using
ResumeSession and kick users out if their session is invalid.

previously, a user may have appeared to be logged in (via the profile
picture on the top right), but creating an auth'd request would have
login-prompted them.

Signed-off-by: oppiliappan <me@oppi.li>

authored by oppi.li and committed by Tangled 2 months ago 7270d3ae ee08cd02

options

unified split

Changed files

+4 -5

appview

oauth

oauth.go

+4 -5

appview/oauth/oauth.go

··· 164 164 } 165 165 166 166 func (o *OAuth) GetUser(r *http.Request) *User { 167 - sess, err := o.SessStore.Get(r, SessionName) 168 - 169 - if err != nil || sess.IsNew { 167 + sess, err := o.ResumeSession(r) 168 + if err != nil { 170 169 return nil 171 170 } 172 171 173 172 return &User{ 174 - Did: sess.Values[SessionDid].(string), 175 - Pds: sess.Values[SessionPds].(string), 173 + Did: sess.Data.AccountDID.String(), 174 + Pds: sess.Data.HostURL, 176 175 } 177 176 } 178 177