go/authboss
1
0
Fork 0
mirror of https://github.com/volatiletech/authboss.git synced 2025-09-16 09:06:20 +02:00
Code Issues Releases Activity

Remove bad cookies in router

Browse Source 
- When authboss routes are accessed it goes through a check to see if
  they're logged in and if they need to actually visit this route. If
  the user was not found (despite having a session cookie) it would 500,
  and now it simply removes the bad cookie.
- Fix #75
This commit is contained in:
Aaron L
2015-08-30 07:26:52 -07:00
parent c4eb529fd9
commit 124b1aec46
2 changed files with 49 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
router.go
View File

@@ -111,12 +111,28 @@ func redirectIfLoggedIn(ctx *Context, w http.ResponseWriter, r *http.Request) (h
} }
} }
if cu, err := ctx.currentUser(ctx, w, r); err != nil { // Otherwise, check if they're logged in, this uses hooks to allow remember
// to set the session cookie
cu, err := ctx.currentUser(ctx, w, r)
// if the user was not found, that means the user was deleted from the underlying
// storer and we should just remove this session cookie and allow them through.
// if it's a generic error, 500
// if the user is found, redirect them away from this page, because they don't need
// to see it.
if err == ErrUserNotFound {
uname, _ := ctx.SessionStorer.Get(SessionKey)
fmt.Fprintf(ctx.LogWriter, "user (%s) has session cookie but user not found, removing cookie", uname)
ctx.SessionStorer.Del(SessionKey)
return false
} else if err != nil {
fmt.Fprintf(ctx.LogWriter, "error occurred reading current user at %s: %v", r.URL.Path, err) fmt.Fprintf(ctx.LogWriter, "error occurred reading current user at %s: %v", r.URL.Path, err)
w.WriteHeader(http.StatusInternalServerError) w.WriteHeader(http.StatusInternalServerError)
io.WriteString(w, "500 An error has occurred") io.WriteString(w, "500 An error has occurred")
return true return true
} else if cu != nil { }
if cu != nil {
if redir := r.FormValue(FormValueRedirect); len(redir) > 0 { if redir := r.FormValue(FormValueRedirect); len(redir) > 0 {
http.Redirect(w, r, redir, http.StatusFound) http.Redirect(w, r, redir, http.StatusFound)
} else { } else {

31
router_test.go
View File

@@ -300,3 +300,34 @@ func TestRouter_redirectIfLoggedInError(t *testing.T) {
t.Error("It should have internal server error'd:", w.Code) t.Error("It should have internal server error'd:", w.Code)
} }
} }
type notFoundStorer struct{}
func (n notFoundStorer) Create(key string, attributes Attributes) error { return nil }
func (n notFoundStorer) Put(key string, attributes Attributes) error { return nil }
func (n notFoundStorer) Get(key string) (interface{}, error) { return nil, ErrUserNotFound }
func TestRouter_redirectIfLoggedInUserNotFound(t *testing.T) {
t.Parallel()
ab := New()
ab.LogWriter = ioutil.Discard
ab.Storer = notFoundStorer{}
session := mockClientStore{SessionKey: "john"}
cookies := mockClientStore{}
ctx := ab.NewContext()
ctx.SessionStorer = session
ctx.CookieStorer = cookies
r, _ := http.NewRequest("GET", "/auth", nil)
w := httptest.NewRecorder()
handled := redirectIfLoggedIn(ctx, w, r)
if handled {
t.Error("It should not have been handled.")
}
if _, ok := session.Get(SessionKey); ok {
t.Error("It should have removed the bad session cookie")
}
}