fix(xo-server): better token check on HTTP request

It now checks that the user associated with the authentication token really exists.

This fixes xo-web infinite refresh when the token stored in cookies belongs to a missing user.

CHANGELOG.unreleased.md

@@ -42,6 +42,7 @@
 - @xen-orchestra/fs patch
 - @vates/node-vsphere-soap major
 - @xen-orchestra/vmware-explorer patch
+- xo-server patch
 - xo-server-auth-oidc minor
 - xo-web minor
 

packages/xo-server/src/xo-mixins/authentication.mjs

@@ -267,7 +267,8 @@ export default class {
   }
 
   async isValidAuthenticationToken(id) {
-    return (await this._getAuthenticationToken(id)) !== undefined
+    const token = await this._getAuthenticationToken(id)
+    return token !== undefined && (await this._app.doesUserExist(token.user_id))
   }
 
   async updateAuthenticationToken(properties, { description }) {

packages/xo-server/src/xo-mixins/subjects.mjs

@@ -119,6 +119,10 @@ export default class {
     })
   }
 
+  doesUserExist(id) {
+    return this._users.exists(id)
+  }
+
   async updateUser(
     id,
     {