gered/clj-browserchannel
Archived
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

enforce valid session requirement for all backchannel requests

Browse source 
not checking for this results in a NPE anyway, definitely better to
return a nicer error result
This commit is contained in:
Gered 2016-05-12 14:52:07 -04:00
parent 4554adcecd
commit 3f81f59a2a
1 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
clj-browserchannel/src/net/thegeez/browserchannel/server.clj
View file

@ -745,10 +745,14 @@
[req options] [req options]
(let [SID (get-in req [:query-params "SID"]) (let [SID (get-in req [:query-params "SID"])
;; session-agent might be nil, then it will be created by ;; session-agent might be nil, then it will be created by
;; handle-forward-channel ;; handle-forward-channel.
;; however, we must have a non-nil session-agent (and hence, a
;; pre-existing session) for all invocations of handle-backward-channel
session-agent (@sessions SID)] session-agent (@sessions SID)]
(if (and SID (if (or (and (= :get (:request-method req))
(not session-agent)) (not session-agent))
(and SID
(not session-agent)))
;; SID refers to an already created session, which therefore ;; SID refers to an already created session, which therefore
;; must exist ;; must exist
(error-response 400 "Unknown SID") (error-response 400 "Unknown SID")