Auth: Remove the session cookie only if it's invalid or revoked (#65984)

Remove the cookie if it's invalid or revoked
This commit is contained in:
Misi 2023-04-13 09:23:39 +02:00 committed by GitHub
parent 8e03badfa2
commit 4cac95d1c2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -481,8 +481,8 @@ func (h *ContextHandler) initContextWithToken(reqContext *contextmodel.ReqContex
token, err := h.AuthTokenService.LookupToken(ctx, rawToken)
if err != nil {
reqContext.Logger.Warn("failed to look up session from cookie", "error", err)
if errors.Is(err, auth.ErrUserTokenNotFound) || errors.Is(err, auth.ErrInvalidSessionToken) {
// Burn the cookie in case of invalid, expired or missing token
if errors.Is(err, auth.ErrInvalidSessionToken) {
// Burn the cookie in case of invalid or revoked token
reqContext.Resp.Before(h.deleteInvalidCookieEndOfRequestFunc(reqContext))
}