Reset Session ID on login (#18018) (#18041)

Backport #18018 When logging in the SessionID should be reset and the session cleaned up. Also logs the user in on completion of linking account Signed-off-by: Andrew Thornton <art27@cantab.net>
2025-08-24 18:38:28 +00:00 · 2021-12-20 20:06:54 +00:00
parent 148a417774
commit 76e1c130fb
11 changed files with 148 additions and 31 deletions
--- a/vendor/gitea.com/go-chi/session/session.go
+++ b/vendor/gitea.com/go-chi/session/session.go
@@ -23,6 +23,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"reflect"
 	"time"
 )

@@ -259,7 +260,7 @@ func Sessioner(options ...Options) func(next http.Handler) http.Handler {
 				return
 			}

-			if err = sess.Release(); err != nil {
+			if err = s.RawStore.Release(); err != nil {
 				panic("session(release): " + err.Error())
 			}
 		})
@@ -273,6 +274,26 @@ func GetSession(req *http.Request) Store {
 	return sess
 }

+// RegenerateSession
+func RegenerateSession(resp http.ResponseWriter, req *http.Request) (Store, error) {
+	sess, ok := GetSession(req).(*store)
+	if !ok {
+		return nil, fmt.Errorf("no session in request context")
+	}
+
+	oldRawStore := sess.RawStore
+	if err := oldRawStore.Release(); err != nil {
+		return nil, err
+	}
+
+	store, err := sess.RegenerateID(resp, req)
+	if err != nil {
+		return nil, err
+	}
+	sess.RawStore = store
+	return sess, nil
+}
+
 // Provider is the interface that provides session manipulations.
 type Provider interface {
 	// Init initializes session provider.
@@ -291,17 +312,34 @@ type Provider interface {
 	GC()
 }

-var providers = make(map[string]Provider)
+var providers = make(map[string]func() Provider)

 // Register registers a provider.
 func Register(name string, provider Provider) {
-	if provider == nil {
+	if reflect.TypeOf(provider).Kind() == reflect.Ptr {
+		// Pointer:
+		RegisterFn(name, func() Provider {
+			return reflect.New(reflect.ValueOf(provider).Elem().Type()).Interface().(Provider)
+		})
+		return
+	}
+
+	// Not a Pointer
+	RegisterFn(name, func() Provider {
+		return reflect.New(reflect.TypeOf(provider)).Elem().Interface().(Provider)
+	})
+}
+
+// RegisterFn registers a provider function.
+func RegisterFn(name string, providerfn func() Provider) {
+	if providerfn == nil {
 		panic("session: cannot register provider with nil value")
 	}
 	if _, dup := providers[name]; dup {
 		panic(fmt.Errorf("session: cannot register provider '%s' twice", name))
 	}
-	providers[name] = provider
+
+	providers[name] = providerfn
 }

 //    _____
@@ -318,12 +356,15 @@ type Manager struct {
 }

 // NewManager creates and returns a new session manager by given provider name and configuration.
-// It panics when given provider isn't registered.
+// It returns an error when requested provider name isn't registered.
 func NewManager(name string, opt Options) (*Manager, error) {
-	p, ok := providers[name]
+	fn, ok := providers[name]
 	if !ok {
 		return nil, fmt.Errorf("session: unknown provider '%s'(forgotten import?)", name)
 	}
+
+	p := fn()
+
 	return &Manager{p, opt}, p.Init(opt.Maxlifetime, opt.ProviderConfig)
 }