wip: debugging session authentication

internal/api/middleware.go

@@ -11,8 +11,18 @@ func SessionMiddleware(next echo.HandlerFunc) echo.HandlerFunc {
 	return func(context echo.Context) error {
 		sess, err := session.Get("session", context)
 
-		if sess == nil || err != nil {
-			return context.String(http.StatusBadRequest, "User not authenticated!")
+		if err != nil {
+			return context.String(http.StatusUnauthorized, "User not authenticated!")
+		}
+
+		cookie, err := context.Cookie("session")
+
+		if err != nil {
+			return context.String(http.StatusUnauthorized, "User not authenticated!")
+		}
+
+		if sess.IsNew || cookie.Value == "" || sess.Values["id"] == "" {
+			return context.String(http.StatusUnauthorized, "User not authenticated!")
 		}
 
 		context.Set("id", sess.Values["id"])

internal/api/routes.go

@@ -18,7 +18,7 @@ func (api *API) UserRoutes() {
 	users.GET("/", api.GetAllUsersHandler)
 	users.POST("/", api.CreateUserHandler)
 	users.GET("/:id", api.GetUserHandler)
-	users.PUT("/:id", api.UpdateUserHandler)
+	users.PUT("/:id", api.UpdateUserHandler, SessionMiddleware)
 	users.PUT("/:id/security", api.UpdateUserSecurityDetailsHandler)
 	users.PUT("/:id/logo", api.UpdateUserLogoHandler, middleware.BodyLimit("2M"))
 	users.DELETE("/:id", api.DeleteUserHandler)

internal/lib/utils.go

@@ -23,7 +23,7 @@ func GetConfigDirectory() (string, error) {
 func ConstructSession(session *sessions.Session, user types.User) {
 	session.Options = &sessions.Options{
 		Path:     "/",
-		MaxAge:   86400 * 7,
+		MaxAge:   3600,
 		HttpOnly: true,
 	}
 	session.Values["id"] = user.ID