From dee173cc63d3b51d47c1a321096a4963fe458075 Mon Sep 17 00:00:00 2001
From: Elizabeth Hunt <elizabeth.hunt@simponic.xyz>
Date: Thu, 28 Mar 2024 11:06:31 -0600
Subject: don't verify empty cookies

---
 api/auth.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'api/auth.go')

diff --git a/api/auth.go b/api/auth.go
index dcddf5a..0294edd 100644
--- a/api/auth.go
+++ b/api/auth.go
@@ -169,7 +169,7 @@ func VerifySessionContinuation(context *RequestContext, req *http.Request, resp
 		user, userErr := getUserFromAuthHeader(context.DBConn, authHeader)
 
 		sessionCookie, err := req.Cookie("session")
-		if err == nil {
+		if err == nil && sessionCookie.Value != "" {
 			user, userErr = getUserFromSession(context.DBConn, sessionCookie.Value)
 		}
 
@@ -180,6 +180,8 @@ func VerifySessionContinuation(context *RequestContext, req *http.Request, resp
 				Name:   "session",
 				MaxAge: 0, // reset session cookie in case
 			})
+
+			context.User = nil
 			return failure(context, req, resp)
 		}
 
-- 
cgit v1.2.3-70-g09d2