botris.social/femto-backend
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

dont use user from user cookie whatsoever!!!

Browse source
This commit is contained in:
john 2025-06-01 23:35:33 +02:00
parent f48b421500
commit c2846aed4d
3 changed files with 6 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

17
Femto.Api/Auth/SessionAuthenticationHandler.cs
View file

@ -21,7 +21,7 @@ internal class SessionAuthenticationHandler(
{
Logger.LogDebug("{TraceId} Authenticating session", this.Context.TraceIdentifier);
var (sessionId, maybeUserId) = this.Context.GetSessionInfo();
var sessionId = this.Context.GetSessionId();
if (sessionId is null)
@ -44,19 +44,8 @@ internal class SessionAuthenticationHandler(
return await FailAndDeleteSession(sessionId);
}
if (maybeUserId is not { } userId)
{
Logger.LogDebug("{TraceId} SessionId provided with no user", this.Context.TraceIdentifier);
return await FailAndDeleteSession(sessionId);
}
if (session.UserId != userId)
{
Logger.LogDebug("{TraceId} SessionId provided with different user", this.Context.TraceIdentifier);
return await FailAndDeleteSession(sessionId);
}
var user = await authService.GetUserWithId(userId);
var user = await authService.GetUserWithId(session.UserId);
if (user is null)
{
@ -67,7 +56,7 @@ internal class SessionAuthenticationHandler(
if (session.ExpiresSoon)
{
session = await authService.CreateWeakSession(userId);
session = await authService.CreateWeakSession(session.UserId);
this.Context.SetSession(session, user);
}