enforce valid session requirement for all backchannel requests

not checking for this results in a NPE anyway, definitely better to return a nicer error result
2016-05-12 14:52:07 -04:00 · 2016-05-12 14:52:07 -04:00 · 3f81f59a2a
parent 4554adcecd
commit 3f81f59a2a
1 changed files with 7 additions and 3 deletions
--- a/clj-browserchannel/src/net/thegeez/browserchannel/server.clj
+++ b/clj-browserchannel/src/net/thegeez/browserchannel/server.clj
@ -745,10 +745,14 @@
  [req options]
  (let [SID           (get-in req [:query-params "SID"])
        ;; session-agent might be nil, then it will be created by
-        ;; handle-forward-channel
+        ;; handle-forward-channel.
+        ;; however, we must have a non-nil session-agent (and hence, a
+        ;; pre-existing session) for all invocations of handle-backward-channel
        session-agent (@sessions SID)]
-    (if (and SID
-             (not session-agent))
+    (if (or (and (= :get (:request-method req))
+                 (not session-agent))
+            (and SID
+                 (not session-agent)))
      ;; SID refers to an already created session, which therefore
      ;; must exist
      (error-response 400 "Unknown SID")