Open
Description
request : curl -v --cookie "token=everything_not_empty" localhost:8080
response :
<nav class="navbar navbar-default">
<div class="container">
<div class="navbar-header">
<a class="navbar-brand" href="/">
Home
</a>
</div>
<ul class="nav navbar-nav">
<li><a href="/article/create">Create Article</a></li>
<li><a href="/u/logout">Logout</a></li>
</ul>
</div>
</nav>
...
when the cookie token is set, you are seen as an authenticated user even if you are not logged in
this is because of the setUserStatus function
func setUserStatus() gin.HandlerFunc {
return func(c *gin.Context) {
if token, err := c.Cookie("token"); err == nil || token != "" {
c.Set("is_logged_in", true)
} else {
c.Set("is_logged_in", false)
}
}
}
i think a solution could be if tocken, err := c.Cookie("token"); err == nil || isTokenValide(token)
where isTokenValide whould check against a database if the token has been issued
Metadata
Metadata
Assignees
Labels
No labels