idanoo/autobrr
1
0
Fork 0
mirror of https://github.com/idanoo/autobrr synced 2025-07-23 08:49:13 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix(auth): invalid session error (#892)

Browse source 
* chore: ignore dist dir

* fix(auth): speculative invalid session
This commit is contained in:
ze0s 2023-05-01 14:27:30 +02:00 committed by GitHub
parent 61439567d8
commit 83e9232b98
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.gitignore vendored
View file

@ -39,3 +39,4 @@ tmp/
package-lock.json package-lock.json
# Ditto for yarn, except we're using npm. # Ditto for yarn, except we're using npm.
yarn.lock yarn.lock
dist/

15
internal/http/auth.go
View file

@ -108,6 +108,7 @@ func (h authHandler) logout(w http.ResponseWriter, r *http.Request) {
// Revoke users authentication // Revoke users authentication
session.Values["authenticated"] = false session.Values["authenticated"] = false
session.Options.MaxAge = -1
if err := session.Save(r, w); err != nil { if err := session.Save(r, w); err != nil {
h.encoder.StatusError(w, http.StatusInternalServerError, errors.Wrap(err, "could not save session")) h.encoder.StatusError(w, http.StatusInternalServerError, errors.Wrap(err, "could not save session"))
return return
@ -119,16 +120,15 @@ func (h authHandler) logout(w http.ResponseWriter, r *http.Request) {
func (h authHandler) onboard(w http.ResponseWriter, r *http.Request) { func (h authHandler) onboard(w http.ResponseWriter, r *http.Request) {
ctx := r.Context() ctx := r.Context()
session, err := h.cookieStore.Get(r, "user_session") session, _ := h.cookieStore.Get(r, "user_session")
if err != nil {
h.log.Error().Err(err).Msg("could not get session")
h.encoder.StatusError(w, http.StatusInternalServerError, errors.New("could not get session"))
return
}
// Don't proceed if user is authenticated // Don't proceed if user is authenticated
if authenticated, ok := session.Values["authenticated"].(bool); ok { if authenticated, ok := session.Values["authenticated"].(bool); ok {
if ok && authenticated { if ok && authenticated {
session.Values["authenticated"] = false
session.Options.MaxAge = -1
session.Save(r, w)
h.encoder.StatusError(w, http.StatusForbidden, errors.New("active session found")) h.encoder.StatusError(w, http.StatusForbidden, errors.New("active session found"))
return return
} }
@ -177,6 +177,9 @@ func (h authHandler) validate(w http.ResponseWriter, r *http.Request) {
// Check if user is authenticated // Check if user is authenticated
if auth, ok := session.Values["authenticated"].(bool); !ok || !auth { if auth, ok := session.Values["authenticated"].(bool); !ok || !auth {
session.Values["authenticated"] = false
session.Options.MaxAge = -1
session.Save(r, w)
h.encoder.StatusError(w, http.StatusUnauthorized, errors.New("forbidden: invalid session")) h.encoder.StatusError(w, http.StatusUnauthorized, errors.New("forbidden: invalid session"))
return return
} }