tangled.org / core
Monorepo for Tangled tangled.org
fork atom

appview/oauth: use ResumeSession when fetching currently logged in user

the final addition to my collection of oauth fixes: the session cookie
is not a sufficient indication of a logged-in-ness of a user, we
additionally validate this cookie against the session on redis using
ResumeSession and kick users out if their session is invalid.

previously, a user may have appeared to be logged in (via the profile
picture on the top right), but creating an auth'd request would have
login-prompted them.

Signed-off-by: oppiliappan <me@oppi.li>

oppi.li cf31ce0f ee08cd02

verified
3/3
build.yml
fmt.yml
test.yml
options
unified split
Changed files
+4 -5
appview
oauth
oauth.go
+4 -5
appview/oauth/oauth.go
··· 164 164 } 165 165 166 166 func (o *OAuth) GetUser(r *http.Request) *User { 167 - sess, err := o.SessStore.Get(r, SessionName) 168 - 169 - if err != nil || sess.IsNew { 167 + sess, err := o.ResumeSession(r) 168 + if err != nil { 170 169 return nil 171 170 } 172 171 173 172 return &User{ 174 - Did: sess.Values[SessionDid].(string), 175 - Pds: sess.Values[SessionPds].(string), 173 + Did: sess.Data.AccountDID.String(), 174 + Pds: sess.Data.HostURL, 176 175 } 177 176 } 178 177