From 682a91881258188b6aa31efd4b2cb1263698e794 Mon Sep 17 00:00:00 2001
From: Stavros <steveiliop56@gmail.com>
Date: Sun, 26 Jan 2025 11:05:11 +0200
Subject: [PATCH] refactor: don't store oauth token in cookie

---
 internal/api/api.go     |  4 ++--
 internal/hooks/hooks.go | 20 ++------------------
 2 files changed, 4 insertions(+), 20 deletions(-)

diff --git a/internal/api/api.go b/internal/api/api.go
index 1dfa6af..d7ba7c7 100644
--- a/internal/api/api.go
+++ b/internal/api/api.go
@@ -291,7 +291,7 @@ func (api *API) SetupRoutes() {
 			return
 		}
 
-		token, tokenErr := provider.ExchangeToken(code)
+		_, tokenErr := provider.ExchangeToken(code)
 
 		if handleApiError(c, "Failed to exchange token", tokenErr) {
 			return
@@ -315,7 +315,7 @@ func (api *API) SetupRoutes() {
 		}
 
 		session := sessions.Default(c)
-		session.Set("tinyauth_sid", fmt.Sprintf("%s:%s", providerName.Provider, token))
+		session.Set("tinyauth_sid", fmt.Sprintf("%s:%s", providerName.Provider, email))
 		session.Save()
 
 		redirectURI, redirectURIErr := c.Cookie("tinyauth_redirect_uri")
diff --git a/internal/hooks/hooks.go b/internal/hooks/hooks.go
index 0fdff3b..a2e3e17 100644
--- a/internal/hooks/hooks.go
+++ b/internal/hooks/hooks.go
@@ -8,7 +8,6 @@ import (
 
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
-	"golang.org/x/oauth2"
 )
 
 func NewHooks(auth *auth.Auth, providers *providers.Providers) *Hooks {
@@ -90,22 +89,7 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) (types.UserContext, error) {
 		}, nil
 	}
 
-	provider.Token = &oauth2.Token{
-		AccessToken: sessionValue,
-	}
-
-	email, emailErr := hooks.Providers.GetUser(sessionType)
-
-	if emailErr != nil {
-		return types.UserContext{
-			Email:      "",
-			IsLoggedIn: false,
-			OAuth:      false,
-			Provider:   "",
-		}, nil
-	}
-
-	if !hooks.Auth.EmailWhitelisted(email) {
+	if !hooks.Auth.EmailWhitelisted(sessionValue) {
 		session.Delete("tinyauth_sid")
 		session.Save()
 		return types.UserContext{
@@ -117,7 +101,7 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) (types.UserContext, error) {
 	}
 
 	return types.UserContext{
-		Email:      email,
+		Email:      sessionValue,
 		IsLoggedIn: true,
 		OAuth:      true,
 		Provider:   sessionType,