-
Notifications
You must be signed in to change notification settings - Fork 561
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fixed issue with gothic not handling multiple logins correctly
- Loading branch information
Showing
1 changed file
with
4 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
9885e53
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you explain the problem that's being solved here?
I'm not entirely sure I understand it :-)
Is this about users having sessions with multiple oauth providers at the same time? Wouldn't that be solved by removing all sessions with providers which are not x, when completing the flow for provider x?
After this change, we immediately remove the session with the provider at login. No cookies are left. No session is left. In terms of examples: If one logs in in the example main.go, login does fetch userinfo, create a session, and immediately deletes that session. Refreshing the page will already leave a user without session.
Is this the intention (it means any type of session management is left to the user, basically they'd need to overwrite the CompleteUserAuth function)? Can you clarify this?
9885e53
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The session here is an internal session for goth to use to store information it needs during the auth phase. It was never to be used by the end user for their applications session. The problem this fixed was that the goth session was being kept around and was causing problems if someone tried to login in with one provider and then another.
Session manangement for your application should be done by you in your application. Goth doesn’t manage that.