From 57b57931b2f0febe2cd3019239ee81450800a0c7 Mon Sep 17 00:00:00 2001
From: Christoph Haas <christoph.h@sprinternet.at>
Date: Fri, 30 Jul 2021 13:56:21 +0200
Subject: [PATCH] validate user in session (#32)

---
 internal/server/handlers_common.go | 7 +++++++
 internal/server/routes.go          | 8 ++++++++
 2 files changed, 15 insertions(+)

diff --git a/internal/server/handlers_common.go b/internal/server/handlers_common.go
index 476474b..ab851bb 100644
--- a/internal/server/handlers_common.go
+++ b/internal/server/handlers_common.go
@@ -192,3 +192,10 @@ func (s *Server) setFormInSession(c *gin.Context, formData interface{}) (Session
 
 	return currentSession, nil
 }
+
+func (s *Server) isUserStillValid(email string) bool {
+	if s.users.GetUser(email) == nil {
+		return false
+	}
+	return true
+}
diff --git a/internal/server/routes.go b/internal/server/routes.go
index 21451e2..5d10776 100644
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -141,6 +141,14 @@ func (s *Server) RequireAuthentication(scope string) gin.HandlerFunc {
 			return
 		}
 
+		// Check if logged-in user is still valid
+		if !s.isUserStillValid(session.Email) {
+			_ = DestroySessionData(c)
+			c.Abort()
+			s.GetHandleError(c, http.StatusUnauthorized, "unauthorized", "session no longer available")
+			return
+		}
+
 		// Continue down the chain to handler etc
 		c.Next()
 	}