Update session and cookie managers

2025-11-05 23:44:22 +00:00 · 2024-12-07 21:19:02 +01:00
parent de9e9102db
commit 8a4508e29f
10 changed files with 111 additions and 56 deletions
--- a/server/internal/auth/middleware.go
+++ b/server/internal/auth/middleware.go
@@ -9,13 +9,17 @@ import (

 // Middleware handles JWT authentication for protected routes
 type Middleware struct {
-	jwtManager JWTManager
+	jwtManager     JWTManager
+	sessionManager SessionManager
+	cookieManager  CookieManager
 }

 // NewMiddleware creates a new authentication middleware
-func NewMiddleware(jwtManager JWTManager) *Middleware {
+func NewMiddleware(jwtManager JWTManager, sessionManager SessionManager, cookieManager CookieManager) *Middleware {
 	return &Middleware{
-		jwtManager: jwtManager,
+		jwtManager:     jwtManager,
+		sessionManager: sessionManager,
+		cookieManager:  cookieManager,
 	}
 }

@@ -42,6 +46,16 @@ func (m *Middleware) Authenticate(next http.Handler) http.Handler {
 			return
 		}

+		// Check if session is still valid in database
+		session, err := m.sessionManager.ValidateSession(claims.ID)
+		if err != nil || session == nil {
+			m.cookieManager.InvalidateCookie("access_token")
+			m.cookieManager.InvalidateCookie("refresh_token")
+			m.cookieManager.InvalidateCookie("csrf_token")
+			http.Error(w, "Session invalid or expired", http.StatusUnauthorized)
+			return
+		}
+
 		// Add CSRF check for non-GET requests
 		if r.Method != http.MethodGet && r.Method != http.MethodHead && r.Method != http.MethodOptions {
 			csrfCookie, err := r.Cookie("csrf_token")