appview/oauth: use ResumeSession when fetching currently logged in user #723

merged

opened by

oppi.li 2 months ago targeting master from push-orvkryxksqsz

the final addition to my collection of oauth fixes: the session cookie is not a sufficient indication of a logged-in-ness of a user, we additionally validate this cookie against the session on redis using ResumeSession and kick users out if their session is invalid.

previously, a user may have appeared to be logged in (via the profile picture on the top right), but creating an auth'd request would have login-prompted them.

Signed-off-by: oppiliappan me@oppi.li

options

unified split

Changed files

+4 -5

appview

oauth

oauth.go

+4 -5

appview/oauth/oauth.go

··· 164 } 165 166 func (o *OAuth) GetUser(r *http.Request) *User { 167 - sess, err := o.SessStore.Get(r, SessionName) 168 - 169 - if err != nil || sess.IsNew { 170 return nil 171 } 172 173 return &User{ 174 - Did: sess.Values[SessionDid].(string), 175 - Pds: sess.Values[SessionPds].(string), 176 } 177 } 178

··· 164 } 165 166 func (o *OAuth) GetUser(r *http.Request) *User { 167 + sess, err := o.ResumeSession(r) 168 + if err != nil { 169 return nil 170 } 171 172 return &User{ 173 + Did: sess.Data.AccountDID.String(), 174 + Pds: sess.Data.HostURL, 175 } 176 } 177