fix the sessions table to make a session unique accross the did and sessionID

willdot.net / statusphere-go

fork atom

An implementation of the ATProto statusphere example app but in Go

fork atom

authored by willdot.net and committed by tangled.org 1 month ago add27499 5adb3036

+5 -5

2 changed files

expand all

unified split

database

oauth_sessions.go

home_handler.go

+4 -4

database/oauth_sessions.go

··· 25 "dpopAuthServerNonce" TEXT, 26 "dpopHostNonce" TEXT, 27 "dpopPrivateKeyMultibase" TEXT, 28 - UNIQUE(accountDID) 29 );` 30 31 slog.Info("Create oauthsessions table...") ··· 48 return fmt.Errorf("marshalling scopes: %w", err) 49 } 50 51 - sql := `INSERT INTO oauthsessions (accountDID, sessionID, hostURL, authServerURL, authServerTokenEndpoint, scopes, accessToken, refreshToken, dpopAuthServerNonce, dpopHostNonce, dpopPrivateKeyMultibase) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ON CONFLICT(accountDID) DO NOTHING;` // TODO: update on conflict 52 _, err = d.db.Exec(sql, sess.AccountDID.String(), sess.SessionID, sess.HostURL, sess.AuthServerURL, sess.AuthServerTokenEndpoint, string(scopes), sess.AccessToken, sess.RefreshToken, sess.DPoPAuthServerNonce, sess.DPoPHostNonce, sess.DPoPPrivateKeyMultibase) 53 if err != nil { 54 slog.Error("saving session", "error", err) ··· 88 } 89 90 func (d *DB) DeleteSession(ctx context.Context, did syntax.DID, sessionID string) error { 91 - sql := "DELETE FROM oauthsessions WHERE accountDID = ?;" 92 - _, err := d.db.Exec(sql, did.String()) 93 if err != nil { 94 return fmt.Errorf("exec delete oauth session: %w", err) 95 }

··· 25 "dpopAuthServerNonce" TEXT, 26 "dpopHostNonce" TEXT, 27 "dpopPrivateKeyMultibase" TEXT, 28 + UNIQUE(accountDID,sessionID) 29 );` 30 31 slog.Info("Create oauthsessions table...") ··· 48 return fmt.Errorf("marshalling scopes: %w", err) 49 } 50 51 + sql := `INSERT INTO oauthsessions (accountDID, sessionID, hostURL, authServerURL, authServerTokenEndpoint, scopes, accessToken, refreshToken, dpopAuthServerNonce, dpopHostNonce, dpopPrivateKeyMultibase) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) ON CONFLICT(accountDID,sessionID) DO NOTHING;` 52 _, err = d.db.Exec(sql, sess.AccountDID.String(), sess.SessionID, sess.HostURL, sess.AuthServerURL, sess.AuthServerTokenEndpoint, string(scopes), sess.AccessToken, sess.RefreshToken, sess.DPoPAuthServerNonce, sess.DPoPHostNonce, sess.DPoPPrivateKeyMultibase) 53 if err != nil { 54 slog.Error("saving session", "error", err) ··· 88 } 89 90 func (d *DB) DeleteSession(ctx context.Context, did syntax.DID, sessionID string) error { 91 + sql := "DELETE FROM oauthsessions WHERE accountDID = ? AND sessionID = ?;" 92 + _, err := d.db.Exec(sql, did.String(), sessionID) 93 if err != nil { 94 return fmt.Errorf("exec delete oauth session: %w", err) 95 }

+1 -1

home_handler.go

··· 116 117 oauthSess, err := s.oauthClient.ResumeSession(r.Context(), *did, sessionID) 118 if err != nil { 119 - slog.Error("resuming session", "error", err, "did", *did) 120 121 // clear the session out 122 sess, _ := s.sessionStore.Get(r, sessionStoreName)

··· 116 117 oauthSess, err := s.oauthClient.ResumeSession(r.Context(), *did, sessionID) 118 if err != nil { 119 + slog.Error("resuming session", "error", err, "did", *did, "session ID", sessionID) 120 121 // clear the session out 122 sess, _ := s.sessionStore.Get(r, sessionStoreName)