auth: only allow logging out a session once

b8582dfc · Christian Pointner · dffb71f9 · b8582dfc · b8582dfc
Commit b8582dfc authored 5 years ago by Christian Pointner
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -167,7 +167,7 @@ func getSession(c *gin.Context) {

 func deleteSession(c *gin.Context) {
 	s := getSessionFromBearerToken(c.Request)
-	if s == nil {
+	if s == nil || s.State() > SessionStateLoggedIn {
 		sendHTTPInvalidSessionResponse(c)
 		return
 	}

--- a/contrib/sample-cfg.yaml
+++ b/contrib/sample-cfg.yaml
@@ -29,31 +29,31 @@ importer:
  normalizer: ffmpeg

 ### uncomment to enable authentication
-# auth:
-#   sessions:
-#     ## defaults to 24h
-#     max-age: 12h
-#     static:
-#       engine:
-#         secret: ${AURA_ENGINE_SECRET}
-#         readonly: true
-#         all-shows: true
-#   oidc:
-#     issuer-url: http://localhost:8000/openid
-#     client-id: ${OIDC_CLIENT_ID}
-#     client-secret: ${OIDC_CLIENT_SECRET}
-#     callback-url: http://localhost:8040/auth/oidc/callback
-#     login-timeout: 10m # defaults to 5 Minutes
-#   passwd:
-#     admin:
-#       password: ${ADMIN_PASSWORD}
-#       all-shows: true
-#     hugo:
-#       password: changeme
-#       readonly: true
-#       shows:
-#         - hugo
-#         - yet-another-hugo-show
+auth:
+  sessions:
+    ## defaults to 24h
+    max-age: 12h
+    static:
+      engine:
+        secret: ${AURA_ENGINE_SECRET}
+        readonly: true
+        all-shows: true
+  oidc:
+    issuer-url: http://localhost:8000/openid
+    client-id: ${OIDC_CLIENT_ID}
+    client-secret: ${OIDC_CLIENT_SECRET}
+    callback-url: http://localhost:8040/auth/oidc/callback
+    login-timeout: 10m # defaults to 5 Minutes
+  passwd:
+    admin:
+      password: ${ADMIN_PASSWORD}
+      all-shows: true
+    hugo:
+      password: changeme
+      readonly: true
+      shows:
+        - hugo
+        - yet-another-hugo-show

 ### uncomment to enable CORS headers
 ### see: https://godoc.org/github.com/rs/cors#Options