chore(auth): drop now-dead session guard in messages_ws epoch read
resolved_user_id already accesses ws.session unguarded just above (SessionMiddleware covers the WS scope), so the '"session" in ws.scope' fallback was dead code — read ws.session directly for consistency (review follow-up).
This commit is contained in:
parent
f7fa516332
commit
d4402f4709
1 changed files with 1 additions and 1 deletions
|
|
@ -376,7 +376,7 @@ async def messages_ws(ws: WebSocket) -> None:
|
||||||
# SA4: honour server-side session revocation on the live channel too — reject a cookie whose
|
# SA4: honour server-side session revocation on the live channel too — reject a cookie whose
|
||||||
# recorded epoch is behind the account's current one (mirrors current_user). Without this a
|
# recorded epoch is behind the account's current one (mirrors current_user). Without this a
|
||||||
# copied cookie could keep receiving pushes after a password reset / "log out everywhere".
|
# copied cookie could keep receiving pushes after a password reset / "log out everywhere".
|
||||||
epochs = (ws.session if "session" in ws.scope else {}).get("epochs") or {}
|
epochs = ws.session.get("epochs") or {}
|
||||||
epoch_ok = user is not None and int(epochs.get(str(uid), 0)) == (user.session_epoch or 0)
|
epoch_ok = user is not None and int(epochs.get(str(uid), 0)) == (user.session_epoch or 0)
|
||||||
ok = epoch_ok and is_messageable_user(user)
|
ok = epoch_ok and is_messageable_user(user)
|
||||||
finally:
|
finally:
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue