From 83e9232b98f2e4f6d3fdf2506c3dff4d52af8789 Mon Sep 17 00:00:00 2001
From: ze0s <43699394+zze0s@users.noreply.github.com>
Date: Mon, 1 May 2023 14:27:30 +0200
Subject: [PATCH] fix(auth): invalid session error (#892)

* chore: ignore dist dir

* fix(auth): speculative invalid session
---
 .gitignore            |  1 +
 internal/http/auth.go | 15 +++++++++------
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/.gitignore b/.gitignore
index 2c1f69d..5b82820 100644
--- a/.gitignore
+++ b/.gitignore
@@ -39,3 +39,4 @@ tmp/
 package-lock.json
 # Ditto for yarn, except we're using npm.
 yarn.lock
+dist/
diff --git a/internal/http/auth.go b/internal/http/auth.go
index c0d903a..3fcc4ba 100644
--- a/internal/http/auth.go
+++ b/internal/http/auth.go
@@ -108,6 +108,7 @@ func (h authHandler) logout(w http.ResponseWriter, r *http.Request) {
 
 	// Revoke users authentication
 	session.Values["authenticated"] = false
+	session.Options.MaxAge = -1
 	if err := session.Save(r, w); err != nil {
 		h.encoder.StatusError(w, http.StatusInternalServerError, errors.Wrap(err, "could not save session"))
 		return
@@ -119,16 +120,15 @@ func (h authHandler) logout(w http.ResponseWriter, r *http.Request) {
 func (h authHandler) onboard(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 
-	session, err := h.cookieStore.Get(r, "user_session")
-	if err != nil {
-		h.log.Error().Err(err).Msg("could not get session")
-		h.encoder.StatusError(w, http.StatusInternalServerError, errors.New("could not get session"))
-		return
-	}
+	session, _ := h.cookieStore.Get(r, "user_session")
 
 	// Don't proceed if user is authenticated
 	if authenticated, ok := session.Values["authenticated"].(bool); ok {
 		if ok && authenticated {
+			session.Values["authenticated"] = false
+			session.Options.MaxAge = -1
+			session.Save(r, w)
+
 			h.encoder.StatusError(w, http.StatusForbidden, errors.New("active session found"))
 			return
 		}
@@ -177,6 +177,9 @@ func (h authHandler) validate(w http.ResponseWriter, r *http.Request) {
 
 	// Check if user is authenticated
 	if auth, ok := session.Values["authenticated"].(bool); !ok || !auth {
+		session.Values["authenticated"] = false
+		session.Options.MaxAge = -1
+		session.Save(r, w)
 		h.encoder.StatusError(w, http.StatusUnauthorized, errors.New("forbidden: invalid session"))
 		return
 	}