Monorepo for Tangled tangled.org

appview/oauth: use ResumeSession when fetching currently logged in user #723

merged opened by

oppi.li 4 months ago targeting master from push-orvkryxksqsz

the final addition to my collection of oauth fixes: the session cookie is not a sufficient indication of a logged-in-ness of a user, we additionally validate this cookie against the session on redis using ResumeSession and kick users out if their session is invalid.

previously, a user may have appeared to be logged in (via the profile picture on the top right), but creating an auth'd request would have login-prompted them.

Signed-off-by: oppiliappan me@oppi.li

Labels

None yet.

assignee

None yet.

Participants 1

AT URI

at://did:plc:qfpnj4og54vl56wngdriaxug/sh.tangled.repo.pull/3m4diskcvxo22

+4 -5

1 changed file

Diff round #0

expand all

appview

oauth

oauth.go

+4 -5

appview/oauth/oauth.go

··· 164 164 } 165 165 166 166 func (o *OAuth) GetUser(r *http.Request) *User { 167 - sess, err := o.SessStore.Get(r, SessionName) 168 - 169 - if err != nil || sess.IsNew { 167 + sess, err := o.ResumeSession(r) 168 + if err != nil { 170 169 return nil 171 170 } 172 171 173 172 return &User{ 174 - Did: sess.Values[SessionDid].(string), 175 - Pds: sess.Values[SessionPds].(string), 173 + Did: sess.Data.AccountDID.String(), 174 + Pds: sess.Data.HostURL, 176 175 } 177 176 } 178 177

History

1 round 0 comments

oppi.li submitted #0 4mo

1 commit

expand

cf31ce0f

appview/oauth: use ResumeSession when fetching currently logged in user

3/3 success

expand

expand 0 comments

pull request successfully merged