botris.social/femto-backend
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

dont use user from user cookie whatsoever!!!

Browse source
This commit is contained in:
john 2025-06-01 23:35:33 +02:00
parent f48b421500
commit c2846aed4d
3 changed files with 6 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

17
Femto.Api/Auth/SessionAuthenticationHandler.cs
View file

@ -21,7 +21,7 @@ internal class SessionAuthenticationHandler(
{
Logger.LogDebug("{TraceId} Authenticating session", this.Context.TraceIdentifier);
var (sessionId, maybeUserId) = this.Context.GetSessionInfo();
var sessionId = this.Context.GetSessionId();
if (sessionId is null)
@ -44,19 +44,8 @@ internal class SessionAuthenticationHandler(
return await FailAndDeleteSession(sessionId);
}
if (maybeUserId is not { } userId)
{
Logger.LogDebug("{TraceId} SessionId provided with no user", this.Context.TraceIdentifier);
return await FailAndDeleteSession(sessionId);
}
if (session.UserId != userId)
{
Logger.LogDebug("{TraceId} SessionId provided with different user", this.Context.TraceIdentifier);
return await FailAndDeleteSession(sessionId);
}
var user = await authService.GetUserWithId(userId);
var user = await authService.GetUserWithId(session.UserId);
if (user is null)
{
@ -67,7 +56,7 @@ internal class SessionAuthenticationHandler(
if (session.ExpiresSoon)
{
session = await authService.CreateWeakSession(userId);
session = await authService.CreateWeakSession(session.UserId);
this.Context.SetSession(session, user);
}

2
Femto.Api/Controllers/Auth/AuthController.cs
View file

@ -64,7 +64,7 @@ public class AuthController(
[HttpDelete("session")]
public async Task<ActionResult> DeleteSession()
{
var (sessionId, userId) = HttpContext.GetSessionInfo();
var sessionId = HttpContext.GetSessionId();
if (sessionId is not null)
{

12
Femto.Api/Sessions/HttpContextSessionExtensions.cs
View file

@ -15,19 +15,11 @@ internal static class HttpContextSessionExtensions
PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
};
public static SessionInfo GetSessionInfo(this HttpContext httpContext)
public static string? GetSessionId(this HttpContext httpContext)
{
var sessionId = httpContext.Request.Cookies["sid"];
var userJson = httpContext.Request.Cookies["user"];
UserInfo? user = null;
if (userJson is not null)
{
user = JsonSerializer.Deserialize<UserInfo>(userJson, JsonOptions);
}
return new SessionInfo(sessionId, user?.Id);
return sessionId;
}
public static void SetSession(this HttpContext context, Session session, UserInfo user)