From 587179c2f07f6dde69d0a2bc867ecf10efdd28ce Mon Sep 17 00:00:00 2001
From: Jonni Liljamo <jonni@liljamo.com>
Date: Fri, 6 Oct 2023 15:33:45 +0300
Subject: [PATCH] fix: verify users existence in IsAuthenticated

---
 middlewares/auth.go | 27 ++++++++++++++++++++++++++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/middlewares/auth.go b/middlewares/auth.go
index b7a8d38..5d1b65b 100644
--- a/middlewares/auth.go
+++ b/middlewares/auth.go
@@ -7,7 +7,12 @@
 package middlewares
 
 import (
+	"context"
+	"log"
 	"net/http"
+	"tixe/db"
+	"tixe/types"
+	"tixe/util"
 
 	"github.com/gin-contrib/sessions"
 	"github.com/gin-gonic/gin"
@@ -15,10 +20,30 @@ import (
 
 func IsAuthenticated(c *gin.Context) {
 	if sessions.Default(c).Get("profile") == nil {
-		// TODO: This should probably be validated somehow... DB lookup or something.
 		c.Redirect(http.StatusSeeOther, "/login")
 		c.Abort()
 	} else {
+		// Here, we verify if the user actually exists. Bla bla forgery, bla bla,
+		// but mainly this was an issue on the demo.
+		session := sessions.Default(c)
+		user := session.Get("user").(types.User)
+
+		var exists bool
+		err := db.PgPool.QueryRow(context.Background(),
+			"SELECT EXISTS(SELECT 1 FROM users WHERE id = $1)",
+				user.Id).Scan(&exists)
+		if err != nil || !exists {
+			c.Redirect(http.StatusSeeOther, "/login")
+			c.Abort()
+			session.Clear()
+			if err := session.Save(); err != nil {
+				errStr := "Failed to save session"
+				log.Printf("[tixe/auth] ERROR: %s: %v", errStr, err)
+				util.RenderError(c, "session error", errStr, nil)
+				return
+			}
+		}
+
 		c.Next()
 	}
 }
-- 
2.44.1