fix(auth): invalid session error (#892)

* chore: ignore dist dir * fix(auth): speculative invalid session
2025-07-23 08:49:13 +00:00 · 2023-05-01 14:27:30 +02:00 · 2023-05-01 14:27:30 +02:00 · 83e9232b98
commit 83e9232b98
parent 61439567d8
2 changed files with 10 additions and 6 deletions
--- a/internal/http/auth.go
+++ b/internal/http/auth.go
@ -108,6 +108,7 @@ func (h authHandler) logout(w http.ResponseWriter, r *http.Request) {

 	// Revoke users authentication
 	session.Values["authenticated"] = false
+	session.Options.MaxAge = -1
 	if err := session.Save(r, w); err != nil {
 		h.encoder.StatusError(w, http.StatusInternalServerError, errors.Wrap(err, "could not save session"))
 		return
@ -119,16 +120,15 @@ func (h authHandler) logout(w http.ResponseWriter, r *http.Request) {
 func (h authHandler) onboard(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()

-	session, err := h.cookieStore.Get(r, "user_session")
-	if err != nil {
-		h.log.Error().Err(err).Msg("could not get session")
-		h.encoder.StatusError(w, http.StatusInternalServerError, errors.New("could not get session"))
-		return
-	}
+	session, _ := h.cookieStore.Get(r, "user_session")

 	// Don't proceed if user is authenticated
 	if authenticated, ok := session.Values["authenticated"].(bool); ok {
 		if ok && authenticated {
+			session.Values["authenticated"] = false
+			session.Options.MaxAge = -1
+			session.Save(r, w)
+
 			h.encoder.StatusError(w, http.StatusForbidden, errors.New("active session found"))
 			return
 		}
@ -177,6 +177,9 @@ func (h authHandler) validate(w http.ResponseWriter, r *http.Request) {

 	// Check if user is authenticated
 	if auth, ok := session.Values["authenticated"].(bool); !ok || !auth {
+		session.Values["authenticated"] = false
+		session.Options.MaxAge = -1
+		session.Save(r, w)
 		h.encoder.StatusError(w, http.StatusUnauthorized, errors.New("forbidden: invalid session"))
 		return
 	}