diffdown.com
Diffdown is a real-time collaborative Markdown editor/previewer built on the AT Protocol
diffdown.com
fix: validate session in database for WebSocket auth
+15
-1
+15
-1
internal/handler/handler.go
+15
-1
internal/handler/handler.go
···
748
748
parser := jwt.Parser{}
749
749
_, _, err := parser.ParseUnverified(accessToken, claims)
750
750
if err != nil {
751
-
return "", "", err
751
+
return "", "", fmt.Errorf("parse token: %w", err)
752
752
}
753
753
754
754
did, ok := (*claims)["sub"].(string)
755
755
if !ok {
756
756
return "", "", fmt.Errorf("no sub in token")
757
+
}
758
+
759
+
user, err := h.DB.GetUserByDID(did)
760
+
if err != nil {
761
+
return "", "", fmt.Errorf("user not found: %w", err)
762
+
}
763
+
764
+
session, err := h.DB.GetATProtoSession(user.ID)
765
+
if err != nil {
766
+
return "", "", fmt.Errorf("session not found: %w", err)
767
+
}
768
+
769
+
if time.Now().After(session.ExpiresAt) {
770
+
return "", "", fmt.Errorf("session expired")
757
771
}
758
772
759
773
name, _ := (*claims)["name"].(string)