From 2925ebe9e498c69ef066e83d21683c50c7a3bf9d Mon Sep 17 00:00:00 2001 From: Trong Huu Nguyen Date: Fri, 9 Jun 2023 12:20:20 +0200 Subject: [PATCH] fix(handler/session): return metadata response even if session is inactive --- README.md | 5 ++++- pkg/handler/handler.go | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 5613443..dd1e8cc 100644 --- a/README.md +++ b/README.md @@ -270,11 +270,14 @@ Sessions can be configured with a maximum lifetime with the `session.max-lifetim There's also an endpoint that returns metadata about the user's session as a JSON object at `GET /oauth2/session`. This endpoint will respond with HTTP status codes on errors: -- `401 Unauthorized` - no session cookie or matching session found (e.g. user is not authenticated, or has logged out) +- `401 Unauthorized` - no session cookie or matching session found - `500 Internal Server Error` - the session store is unavailable, or Wonderwall wasn't able to process the request Otherwise, an `HTTP 200 OK` is returned with the metadata with the `application/json` as the `Content-Type`. +Note that this endpoint will return `HTTP 200 OK` for [_inactive_ sessions](#inactivity). This allows applications to display errors before redirecting the user to login on timeouts. +This also means that you should not use the HTTP response status codes alone as an indication of whether the user is authenticated or not. + #### Example Request: diff --git a/pkg/handler/handler.go b/pkg/handler/handler.go index cd962d5..65231b3 100644 --- a/pkg/handler/handler.go +++ b/pkg/handler/handler.go @@ -326,7 +326,7 @@ func (s *Standalone) Session(w http.ResponseWriter, r *http.Request) { logger := mw.LogEntryFrom(r) sess, err := s.SessionManager.Get(r) - if err != nil { + if err != nil && !errors.Is(err, session.ErrInactive) { handleGetSessionError("session/info", w, r, err) return }