From d4402f47098c2c6067fef7a9b1e089af53bc3350 Mon Sep 17 00:00:00 2001 From: npeter83 Date: Sun, 12 Jul 2026 04:17:02 +0200 Subject: [PATCH] chore(auth): drop now-dead session guard in messages_ws epoch read MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit resolved_user_id already accesses ws.session unguarded just above (SessionMiddleware covers the WS scope), so the '"session" in ws.scope' fallback was dead code — read ws.session directly for consistency (review follow-up). --- backend/app/routes/messages.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/app/routes/messages.py b/backend/app/routes/messages.py index 5800220..6089550 100644 --- a/backend/app/routes/messages.py +++ b/backend/app/routes/messages.py @@ -376,7 +376,7 @@ async def messages_ws(ws: WebSocket) -> None: # SA4: honour server-side session revocation on the live channel too — reject a cookie whose # recorded epoch is behind the account's current one (mirrors current_user). Without this a # copied cookie could keep receiving pushes after a password reset / "log out everywhere". - epochs = (ws.session if "session" in ws.scope else {}).get("epochs") or {} + epochs = ws.session.get("epochs") or {} epoch_ok = user is not None and int(epochs.get(str(uid), 0)) == (user.session_epoch or 0) ok = epoch_ok and is_messageable_user(user) finally: