Remove bad cookies in router

- When authboss routes are accessed it goes through a check to see if they're logged in and if they need to actually visit this route. If the user was not found (despite having a session cookie) it would 500, and now it simply removes the bad cookie. - Fix #75
2025-03-25 22:00:57 +02:00 · 2015-08-30 07:26:52 -07:00 · 2015-08-30 07:26:52 -07:00 · 124b1aec46
commit 124b1aec46
parent c4eb529fd9
2 changed files with 49 additions and 2 deletions
--- a/router.go
+++ b/router.go
@ -111,12 +111,28 @@ func redirectIfLoggedIn(ctx *Context, w http.ResponseWriter, r *http.Request) (h
 		}
 	}

-	if cu, err := ctx.currentUser(ctx, w, r); err != nil {
+	// Otherwise, check if they're logged in, this uses hooks to allow remember
+	// to set the session cookie
+	cu, err := ctx.currentUser(ctx, w, r)
+
+	// if the user was not found, that means the user was deleted from the underlying
+	// storer and we should just remove this session cookie and allow them through.
+	// if it's a generic error, 500
+	// if the user is found, redirect them away from this page, because they don't need
+	// to see it.
+	if err == ErrUserNotFound {
+		uname, _ := ctx.SessionStorer.Get(SessionKey)
+		fmt.Fprintf(ctx.LogWriter, "user (%s) has session cookie but user not found, removing cookie", uname)
+		ctx.SessionStorer.Del(SessionKey)
+		return false
+	} else if err != nil {
 		fmt.Fprintf(ctx.LogWriter, "error occurred reading current user at %s: %v", r.URL.Path, err)
 		w.WriteHeader(http.StatusInternalServerError)
 		io.WriteString(w, "500 An error has occurred")
 		return true
-	} else if cu != nil {
+	}
+
+	if cu != nil {
 		if redir := r.FormValue(FormValueRedirect); len(redir) > 0 {
 			http.Redirect(w, r, redir, http.StatusFound)
 		} else {
--- a/router_test.go
+++ b/router_test.go
@ -300,3 +300,34 @@ func TestRouter_redirectIfLoggedInError(t *testing.T) {
 		t.Error("It should have internal server error'd:", w.Code)
 	}
 }
+
+type notFoundStorer struct{}
+
+func (n notFoundStorer) Create(key string, attributes Attributes) error { return nil }
+func (n notFoundStorer) Put(key string, attributes Attributes) error    { return nil }
+func (n notFoundStorer) Get(key string) (interface{}, error)            { return nil, ErrUserNotFound }
+
+func TestRouter_redirectIfLoggedInUserNotFound(t *testing.T) {
+	t.Parallel()
+
+	ab := New()
+	ab.LogWriter = ioutil.Discard
+	ab.Storer = notFoundStorer{}
+
+	session := mockClientStore{SessionKey: "john"}
+	cookies := mockClientStore{}
+	ctx := ab.NewContext()
+	ctx.SessionStorer = session
+	ctx.CookieStorer = cookies
+
+	r, _ := http.NewRequest("GET", "/auth", nil)
+	w := httptest.NewRecorder()
+	handled := redirectIfLoggedIn(ctx, w, r)
+
+	if handled {
+		t.Error("It should not have been handled.")
+	}
+	if _, ok := session.Get(SessionKey); ok {
+		t.Error("It should have removed the bad session cookie")
+	}
+}