botris.social/femto-backend
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

dont use user from user cookie whatsoever!!!

Browse source
This commit is contained in:
john 2025-06-01 23:35:33 +02:00
parent f48b421500
commit c2846aed4d
3 changed files with 6 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

17
Femto.Api/Auth/SessionAuthenticationHandler.cs
View file

@ -21,7 +21,7 @@ internal class SessionAuthenticationHandler(
{ {
Logger.LogDebug("{TraceId} Authenticating session", this.Context.TraceIdentifier); Logger.LogDebug("{TraceId} Authenticating session", this.Context.TraceIdentifier);
var (sessionId, maybeUserId) = this.Context.GetSessionInfo(); var sessionId = this.Context.GetSessionId();
if (sessionId is null) if (sessionId is null)
@ -44,19 +44,8 @@ internal class SessionAuthenticationHandler(
return await FailAndDeleteSession(sessionId); return await FailAndDeleteSession(sessionId);
} }
if (maybeUserId is not { } userId)
{
Logger.LogDebug("{TraceId} SessionId provided with no user", this.Context.TraceIdentifier);
return await FailAndDeleteSession(sessionId);
}
if (session.UserId != userId) var user = await authService.GetUserWithId(session.UserId);
{
Logger.LogDebug("{TraceId} SessionId provided with different user", this.Context.TraceIdentifier);
return await FailAndDeleteSession(sessionId);
}
var user = await authService.GetUserWithId(userId);
if (user is null) if (user is null)
{ {
@ -67,7 +56,7 @@ internal class SessionAuthenticationHandler(
if (session.ExpiresSoon) if (session.ExpiresSoon)
{ {
session = await authService.CreateWeakSession(userId); session = await authService.CreateWeakSession(session.UserId);
this.Context.SetSession(session, user); this.Context.SetSession(session, user);
} }

2
Femto.Api/Controllers/Auth/AuthController.cs
View file

@ -64,7 +64,7 @@ public class AuthController(
[HttpDelete("session")] [HttpDelete("session")]
public async Task<ActionResult> DeleteSession() public async Task<ActionResult> DeleteSession()
{ {
var (sessionId, userId) = HttpContext.GetSessionInfo(); var sessionId = HttpContext.GetSessionId();
if (sessionId is not null) if (sessionId is not null)
{ {

12
Femto.Api/Sessions/HttpContextSessionExtensions.cs
View file

@ -15,19 +15,11 @@ internal static class HttpContextSessionExtensions
PropertyNamingPolicy = JsonNamingPolicy.CamelCase, PropertyNamingPolicy = JsonNamingPolicy.CamelCase,
}; };
public static SessionInfo GetSessionInfo(this HttpContext httpContext) public static string? GetSessionId(this HttpContext httpContext)
{ {
var sessionId = httpContext.Request.Cookies["sid"]; var sessionId = httpContext.Request.Cookies["sid"];
var userJson = httpContext.Request.Cookies["user"];
UserInfo? user = null;
if (userJson is not null)
{
user = JsonSerializer.Deserialize<UserInfo>(userJson, JsonOptions);
}
return new SessionInfo(sessionId, user?.Id); return sessionId;
} }
public static void SetSession(this HttpContext context, Session session, UserInfo user) public static void SetSession(this HttpContext context, Session session, UserInfo user)