tangled.org / core
Monorepo for Tangled tangled.org
fork atom

appview/oauth: use ResumeSession when fetching currently logged in user

the final addition to my collection of oauth fixes: the session cookie
is not a sufficient indication of a logged-in-ness of a user, we
additionally validate this cookie against the session on redis using
ResumeSession and kick users out if their session is invalid.

previously, a user may have appeared to be logged in (via the profile
picture on the top right), but creating an auth'd request would have
login-prompted them.

Signed-off-by: oppiliappan <me@oppi.li>

oppi.li cf31ce0f ee08cd02

verified
3/3
build.yml
fmt.yml
test.yml
options
unified split
Changed files
+4 -5
appview
oauth
oauth.go
+4 -5
appview/oauth/oauth.go
··· 164 } 165 166 func (o *OAuth) GetUser(r *http.Request) *User { 167 - sess, err := o.SessStore.Get(r, SessionName) 168 - 169 - if err != nil || sess.IsNew { 170 return nil 171 } 172 173 return &User{ 174 - Did: sess.Values[SessionDid].(string), 175 - Pds: sess.Values[SessionPds].(string), 176 } 177 } 178
··· 164 } 165 166 func (o *OAuth) GetUser(r *http.Request) *User { 167 + sess, err := o.ResumeSession(r) 168 + if err != nil { 169 return nil 170 } 171 172 return &User{ 173 + Did: sess.Data.AccountDID.String(), 174 + Pds: sess.Data.HostURL, 175 } 176 } 177