From 25ee4226d3a1c592eb56ad82b919fac3163c525e Mon Sep 17 00:00:00 2001
From: xAmast <58246546+xAmast@users.noreply.github.com>
Date: Sat, 29 Oct 2022 20:18:02 +0800
Subject: [PATCH] feat: clear the session of a signin but non-existent user
 (#1246)

---
 controllers/account.go |  3 +--
 controllers/base.go    | 11 +++++++----
 controllers/util.go    |  1 +
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/controllers/account.go b/controllers/account.go
index 236a7c22..8778cf56 100644
--- a/controllers/account.go
+++ b/controllers/account.go
@@ -245,8 +245,7 @@ func (c *ApiController) Logout() {
 	util.LogInfo(c.Ctx, "API: [%s] logged out", user)
 
 	application := c.GetSessionApplication()
-	c.SetSessionUsername("")
-	c.SetSessionData(nil)
+	c.ClearUserSession()
 
 	if application == nil || application.Name == "app-built-in" || application.HomepageUrl == "" {
 		c.ResponseOk(user)
diff --git a/controllers/base.go b/controllers/base.go
index 08af3d4b..0fca671f 100644
--- a/controllers/base.go
+++ b/controllers/base.go
@@ -63,8 +63,7 @@ func (c *ApiController) GetSessionUsername() string {
 	if sessionData != nil &&
 		sessionData.ExpireTime != 0 &&
 		sessionData.ExpireTime < time.Now().Unix() {
-		c.SetSessionUsername("")
-		c.SetSessionData(nil)
+		c.ClearUserSession()
 		return ""
 	}
 
@@ -85,13 +84,17 @@ func (c *ApiController) GetSessionApplication() *object.Application {
 	return application
 }
 
+func (c *ApiController) ClearUserSession() {
+	c.SetSessionUsername("")
+	c.SetSessionData(nil)
+}
+
 func (c *ApiController) GetSessionOidc() (string, string) {
 	sessionData := c.GetSessionData()
 	if sessionData != nil &&
 		sessionData.ExpireTime != 0 &&
 		sessionData.ExpireTime < time.Now().Unix() {
-		c.SetSessionUsername("")
-		c.SetSessionData(nil)
+		c.ClearUserSession()
 		return "", ""
 	}
 	scopeValue := c.GetSession("scope")
diff --git a/controllers/util.go b/controllers/util.go
index dc5fb9b3..b7c8401c 100644
--- a/controllers/util.go
+++ b/controllers/util.go
@@ -98,6 +98,7 @@ func (c *ApiController) RequireSignedInUser() (*object.User, bool) {
 
 	user := object.GetUser(userId)
 	if user == nil {
+		c.ClearUserSession()
 		c.ResponseError(fmt.Sprintf(c.T("UserErr.DoNotExist"), userId))
 		return nil, false
 	}