search

oxtyped / gpodder2go

gpodder2go is a simple self-hosted, golang, drop-in replacement for gpodder/mygpo server to handle podcast subscriptions management for gpodder clients
GNU Affero General Public License v3.0
103 stars 13 forks source link

pkg/middleware: more robust sessionid handling #8

Closed sbinet closed 1 year ago

sbinet commented 1 year ago

Dots '.' may appear in the decoded sessionid string. The logic to extract the username from the decoded sessionid string would then be defeated.

sbinet commented 1 year ago

Perhaps a better way of handling this (trying to find where the username starts and where the key ends, is prone to errors: what if the username contains a . ?), would be to pass the expected username to the Verifier ?

oxtyped commented 1 year ago

Perhaps a better way of handling this (trying to find where the username starts and where the key ends, is prone to errors: what if the username contains a . ?), would be to pass the expected username to the Verifier ?

I think this might be up for a separate discussion (maybe in a new issue). I'm not sure if we should support . in usernames since that might also have a bit of an effect when it comes to querying for usernames with . in the database iirc.

But should we choose either way, pkg/apis/handlers.go (https://github.com/oxtyped/gpodder2go/blob/main/pkg/apis/handlers.go#L50-L82) will still need to be updated to handle both scenarios.