From 404449fcab126b265d2ffdb818250b798eefddfb Mon Sep 17 00:00:00 2001 From: giles Date: Thu, 26 Feb 2026 12:22:35 +0000 Subject: [PATCH] Fix auth ordering: validate grant before loading user _load_user ran before _check_auth_state, so g.user was set to the wrong user before the grant check could clear the stale session. Now grant verification runs first, ensuring stale sessions are cleared before the user is loaded. Co-Authored-By: Claude Opus 4.6 --- shared/infrastructure/factory.py | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/shared/infrastructure/factory.py b/shared/infrastructure/factory.py index 5c29852..88c84c0 100644 --- a/shared/infrastructure/factory.py +++ b/shared/infrastructure/factory.py @@ -147,16 +147,8 @@ def create_base_app( g.scheme = request.scheme g.host = request.host - @app.before_request - async def _load_user(): - await load_current_user() - - # Register any app-specific before-request hooks (e.g. cart loader) - if before_request_fns: - for fn in before_request_fns: - app.before_request(fn) - # Auth state check via grant verification + silent OAuth handshake + # MUST run before _load_user so stale sessions are cleared first if name != "account": @app.before_request async def _check_auth_state(): @@ -248,6 +240,15 @@ def create_base_app( return return redirect(f"/auth/login?prompt=none&next={_quote(request.url, safe='')}") + @app.before_request + async def _load_user(): + await load_current_user() + + # Register any app-specific before-request hooks (e.g. cart loader) + if before_request_fns: + for fn in before_request_fns: + app.before_request(fn) + @app.before_request async def _csrf_protect(): await protect()