coop/rose-ash
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix auth ordering: validate grant before loading user
All checks were successful
Build and Deploy / build-and-deploy (push) Successful in 3m20s
Details

Browse Source 
_load_user ran before _check_auth_state, so g.user was set to the wrong
user before the grant check could clear the stale session. Now grant
verification runs first, ensuring stale sessions are cleared before
the user is loaded.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
giles
2026-02-26 12:22:35 +00:00
parent 984ef9c65e
commit 404449fcab
1 changed files with 10 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
shared/infrastructure/factory.py
View File

@@ -147,16 +147,8 @@ def create_base_app(
g.scheme = request.scheme
g.host = request.host
@app.before_request
async def _load_user():
await load_current_user()
# Register any app-specific before-request hooks (e.g. cart loader)
if before_request_fns:
for fn in before_request_fns:
app.before_request(fn)
# Auth state check via grant verification + silent OAuth handshake
# MUST run before _load_user so stale sessions are cleared first
if name != "account":
@app.before_request
async def _check_auth_state():
@@ -248,6 +240,15 @@ def create_base_app(
return
return redirect(f"/auth/login?prompt=none&next={_quote(request.url, safe='')}")
@app.before_request
async def _load_user():
await load_current_user()
# Register any app-specific before-request hooks (e.g. cart loader)
if before_request_fns:
for fn in before_request_fns:
app.before_request(fn)
@app.before_request
async def _csrf_protect():
await protect()