refactor: don't store oauth token in cookie

2025-10-28 04:35:40 +00:00 · 2025-01-26 11:05:11 +02:00
parent 389248cfe1
commit 682a918812
2 changed files with 4 additions and 20 deletions
--- a/internal/api/api.go
+++ b/internal/api/api.go
@@ -291,7 +291,7 @@ func (api *API) SetupRoutes() {
 			return
 		}

-		token, tokenErr := provider.ExchangeToken(code)
+		_, tokenErr := provider.ExchangeToken(code)

 		if handleApiError(c, "Failed to exchange token", tokenErr) {
 			return
@@ -315,7 +315,7 @@ func (api *API) SetupRoutes() {
 		}

 		session := sessions.Default(c)
-		session.Set("tinyauth_sid", fmt.Sprintf("%s:%s", providerName.Provider, token))
+		session.Set("tinyauth_sid", fmt.Sprintf("%s:%s", providerName.Provider, email))
 		session.Save()

 		redirectURI, redirectURIErr := c.Cookie("tinyauth_redirect_uri")
--- a/internal/hooks/hooks.go
+++ b/internal/hooks/hooks.go
@@ -8,7 +8,6 @@ import (

 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
-	"golang.org/x/oauth2"
 )

 func NewHooks(auth *auth.Auth, providers *providers.Providers) *Hooks {
@@ -90,22 +89,7 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) (types.UserContext, error) {
 		}, nil
 	}

-	provider.Token = &oauth2.Token{
-		AccessToken: sessionValue,
-	}
-
-	email, emailErr := hooks.Providers.GetUser(sessionType)
-
-	if emailErr != nil {
-		return types.UserContext{
-			Email:      "",
-			IsLoggedIn: false,
-			OAuth:      false,
-			Provider:   "",
-		}, nil
-	}
-
-	if !hooks.Auth.EmailWhitelisted(email) {
+	if !hooks.Auth.EmailWhitelisted(sessionValue) {
 		session.Delete("tinyauth_sid")
 		session.Save()
 		return types.UserContext{
@@ -117,7 +101,7 @@ func (hooks *Hooks) UseUserContext(c *gin.Context) (types.UserContext, error) {
 	}

 	return types.UserContext{
-		Email:      email,
+		Email:      sessionValue,
 		IsLoggedIn: true,
 		OAuth:      true,
 		Provider:   sessionType,