From c2846aed4df5852d2c181f4620ca4009dcad703e Mon Sep 17 00:00:00 2001
From: john <me@johnmorr.is>
Date: Sun, 1 Jun 2025 23:35:33 +0200
Subject: [PATCH] dont use user from user cookie whatsoever!!!

---
 Femto.Api/Auth/SessionAuthenticationHandler.cs  | 17 +++--------------
 Femto.Api/Controllers/Auth/AuthController.cs    |  2 +-
 .../Sessions/HttpContextSessionExtensions.cs    | 12 ++----------
 3 files changed, 6 insertions(+), 25 deletions(-)

diff --git a/Femto.Api/Auth/SessionAuthenticationHandler.cs b/Femto.Api/Auth/SessionAuthenticationHandler.cs
index 37939a4..2559988 100644
--- a/Femto.Api/Auth/SessionAuthenticationHandler.cs
+++ b/Femto.Api/Auth/SessionAuthenticationHandler.cs
@@ -21,7 +21,7 @@ internal class SessionAuthenticationHandler(
     {
         Logger.LogDebug("{TraceId} Authenticating session", this.Context.TraceIdentifier);
         
-        var (sessionId, maybeUserId) = this.Context.GetSessionInfo();
+        var sessionId = this.Context.GetSessionId();
         
 
         if (sessionId is null)
@@ -44,19 +44,8 @@ internal class SessionAuthenticationHandler(
             return await FailAndDeleteSession(sessionId);
         }
 
-        if (maybeUserId is not { } userId)
-        {
-            Logger.LogDebug("{TraceId} SessionId provided with no user", this.Context.TraceIdentifier);
-            return await FailAndDeleteSession(sessionId);
-        }
 
-        if (session.UserId != userId)
-        {
-            Logger.LogDebug("{TraceId} SessionId provided with different user", this.Context.TraceIdentifier);
-            return await FailAndDeleteSession(sessionId);
-        }
-
-        var user = await authService.GetUserWithId(userId);
+        var user = await authService.GetUserWithId(session.UserId);
         
         if (user is null) 
         {
@@ -67,7 +56,7 @@ internal class SessionAuthenticationHandler(
         
         if (session.ExpiresSoon)
         {
-            session = await authService.CreateWeakSession(userId);
+            session = await authService.CreateWeakSession(session.UserId);
             this.Context.SetSession(session, user);
         }
         
diff --git a/Femto.Api/Controllers/Auth/AuthController.cs b/Femto.Api/Controllers/Auth/AuthController.cs
index 3ca6203..5322493 100644
--- a/Femto.Api/Controllers/Auth/AuthController.cs
+++ b/Femto.Api/Controllers/Auth/AuthController.cs
@@ -64,7 +64,7 @@ public class AuthController(
     [HttpDelete("session")]
     public async Task<ActionResult> DeleteSession()
     {
-        var (sessionId, userId) = HttpContext.GetSessionInfo();
+        var sessionId = HttpContext.GetSessionId();
 
         if (sessionId is not null)
         {
diff --git a/Femto.Api/Sessions/HttpContextSessionExtensions.cs b/Femto.Api/Sessions/HttpContextSessionExtensions.cs
index fcf2a1f..e693180 100644
--- a/Femto.Api/Sessions/HttpContextSessionExtensions.cs
+++ b/Femto.Api/Sessions/HttpContextSessionExtensions.cs
@@ -15,19 +15,11 @@ internal static class HttpContextSessionExtensions
         PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
     };
 
-    public static SessionInfo GetSessionInfo(this HttpContext httpContext)
+    public static string? GetSessionId(this HttpContext httpContext)
     {
         var sessionId = httpContext.Request.Cookies["sid"];
-        
-        var userJson = httpContext.Request.Cookies["user"];
- 
-        UserInfo? user = null;
-        if (userJson is not null)
-        {
-            user = JsonSerializer.Deserialize<UserInfo>(userJson, JsonOptions);
-        }
 
-        return new SessionInfo(sessionId, user?.Id);
+        return sessionId;
     }
 
     public static void SetSession(this HttpContext context, Session session, UserInfo user)