chore(auth): drop now-dead session guard in messages_ws epoch read

resolved_user_id already accesses ws.session unguarded just above (SessionMiddleware
covers the WS scope), so the '"session" in ws.scope' fallback was dead code — read
ws.session directly for consistency (review follow-up).
This commit is contained in:
npeter83 2026-07-12 04:17:02 +02:00
parent f7fa516332
commit d4402f4709

View file

@ -376,7 +376,7 @@ async def messages_ws(ws: WebSocket) -> None:
# SA4: honour server-side session revocation on the live channel too — reject a cookie whose
# recorded epoch is behind the account's current one (mirrors current_user). Without this a
# copied cookie could keep receiving pushes after a password reset / "log out everywhere".
epochs = (ws.session if "session" in ws.scope else {}).get("epochs") or {}
epochs = ws.session.get("epochs") or {}
epoch_ok = user is not None and int(epochs.get(str(uid), 0)) == (user.session_epoch or 0)
ok = epoch_ok and is_messageable_user(user)
finally: