[PR #2535] [MERGED] fix: correct session DELETE tautology and HTTP cookie domain interpolation #3017

New Issue

Closed

opened 2026-04-16 09:44:44 -05:00 by GiteaMirror · 0 comments

GiteaMirror commented 2026-04-16 09:44:44 -05:00

Owner

Copy Link

📋 Pull Request Information

Original PR: https://github.com/fosrl/pangolin/pull/2535
Author: @Abhinav-kodes
Created: 2/25/2026
Status: ✅ Merged
Merged: 2/25/2026
Merged by: @oschwartz10612

Base: dev ← Head: fix-resource-session-delete-cookie

---

📝 Commits (1)

• c64dd14 fix: correct session DELETE tautology and HTTP cookie domain interpolation

📊 Changes

1 file changed (+2 additions, -2 deletions)

View changed files

📝 server/auth/sessions/resource.ts (+2 -2)

📄 Description

Community Contribution License Agreement

By creating this pull request, I grant the project maintainers an unlimited,
perpetual license to use, modify, and redistribute these contributions under any terms they
choose, including both the AGPLv3 and the Fossorial Commercial license terms. I
represent that I have the right to grant this license for all contributed content.

Description

Two bugs in server/auth/sessions/resource.ts with minimal, surgical fixes.
Changes are limited to two single-line corrections — no architecture changes, no new abstractions.

Closes #2534

Fix 1 — Session DELETE tautology

validateResourceSessionToken was deleting all rows in resourceSessions on any expiry because the WHERE clause compared the column to itself:

// Before — tautology, deletes everything
.where(eq(resourceSessions.sessionId, resourceSessions.sessionId)

// After — targets only the expired session
.where(eq(resourceSessions.sessionId, sessionId)

Fix 2 — HTTP cookie Domain broken template literal

serializeResourceSessionCookie had a missing { in the HTTP path:

// Before — sends literal string "$domain}" to browser
`... Domain=$domain}`

// After — correctly interpolates the domain variable
`... Domain=${domain}`

Testing

• Verified expired session only deletes itself, not others
• Verified HTTP resource cookie is correctly scoped to domain

---

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/fosrl/pangolin/pull/2535 **Author:** [@Abhinav-kodes](https://github.com/Abhinav-kodes) **Created:** 2/25/2026 **Status:** ✅ Merged **Merged:** 2/25/2026 **Merged by:** [@oschwartz10612](https://github.com/oschwartz10612) **Base:** `dev` ← **Head:** `fix-resource-session-delete-cookie` --- ### 📝 Commits (1) - [`c64dd14`](https://github.com/fosrl/pangolin/commit/c64dd14b1a1fcc410c1adb6b02e063ce9d97c9b6) fix: correct session DELETE tautology and HTTP cookie domain interpolation ### 📊 Changes **1 file changed** (+2 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `server/auth/sessions/resource.ts` (+2 -2) </details> ### 📄 Description ## Community Contribution License Agreement By creating this pull request, I grant the project maintainers an unlimited, perpetual license to use, modify, and redistribute these contributions under any terms they choose, including both the AGPLv3 and the Fossorial Commercial license terms. I represent that I have the right to grant this license for all contributed content. ## Description Two bugs in `server/auth/sessions/resource.ts` with minimal, surgical fixes. Changes are limited to two single-line corrections — no architecture changes, no new abstractions. Closes #2534 ## Fix 1 — Session DELETE tautology `validateResourceSessionToken` was deleting all rows in `resourceSessions` on any expiry because the WHERE clause compared the column to itself: ```ts // Before — tautology, deletes everything .where(eq(resourceSessions.sessionId, resourceSessions.sessionId) // After — targets only the expired session .where(eq(resourceSessions.sessionId, sessionId) ``` ## Fix 2 — HTTP cookie Domain broken template literal `serializeResourceSessionCookie` had a missing `{` in the HTTP path: ```ts // Before — sends literal string "$domain}" to browser `... Domain=$domain}` // After — correctly interpolates the domain variable `... Domain=${domain}` ``` ## Testing - [x] Verified expired session only deletes itself, not others - [x] Verified HTTP resource cookie is correctly scoped to domain --- _{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

GiteaMirror added the pull-request label 2026-04-16 09:44:44 -05:00

GiteaMirror closed this issue 2026-04-16 09:44:45 -05:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

dependabot/npm_and_yarn/prod-patch-updates-64dd675a88

dependabot/npm_and_yarn/dev-minor-updates-10ef4f0f15

dev

dependabot/docker/node-26-alpine

dependabot/docker/docker/library/node-26-slim

dependabot/npm_and_yarn/multi-7bdfbe8666

crowdin_dev

resource-policies

redis

newt-install-commands

dependabot/npm_and_yarn/multi-d2fd79378c

dependabot/npm_and_yarn/uuid-14.0.0

dependabot/npm_and_yarn/postcss-8.5.10

miloschwartz-patch-2

dependabot/github_actions/actions/setup-node-6.4.0

dependabot/npm_and_yarn/next-16.2.1

dependabot/npm_and_yarn/recharts-3.8.1

dependabot/npm_and_yarn/next-intl-4.9.1

cross-org-idp

update-readme

miloschwartz-patch-1

breakout-sites-tables

revert-2766-feature/systemd-install-instructions

ssh

delete-account

msg-delivery

org-only-idp

cicd

patch

site-targets-auto-login

1.18.3-s.2

1.18.3

1.18.3-s.1

1.18.3-s.0

1.18.2-s.5

1.18.2-s.4

1.18.2-s.3

1.18.2-s.2

1.18.2-s.1

1.18.2

1.18.2-s.0

1.18.1-s.7

1.18.1-s.6

1.18.1-s.5

1.18.1-s.4

1.18.1-s.3

1.18.1-s.2

1.18.1

1.18.1-s.1

1.18.1-s.0

1.18.0-s.2

1.18.0-s.1

1.18.0

1.18.0-s.0

1.17.1-s.7

1.17.1-s.6

1.18.0-rc.0

1.17.1-s.5

1.17.1-s.4

1.17.1-s.3

1.17.1

1.17.1-s.2

1.17.1-s.1

1.17.1-s.0

1.17.0-s.4

1.17.0

1.17.0-s.3

1.17.0-s.2

1.17.0-s.1

1.17.0-s.0

1.17.0-rc.0

1.16.2-s.22

1.16.2-s.21

1.16.2-s.20

1.16.2-s.19

1.16.2-s.18

1.16.2-s.17

1.16.2-s.16

1.16.2-s.15

1.16.2-s.14

1.16.2-s.13

1.16.2-s.12

1.16.2-s.11

1.16.2-s.10

1.16.2-s.9

1.16.2-s.8

1.16.2-s.7

1.16.2-s.6

1.16.2-s.5

1.16.2-s.4

1.16.2-s.3

1.16.2-s.2

1.16.2-s.1

1.16.2

1.16.2-s.0

1.16.1-s.1

1.16.1

1.16.1-s.0

1.16.0

1.16.0-s.1

1.16.0-s.0

1.16.0-rc.0

1.15.4-s.10

1.15.4-s.9

1.15.4-s.8

1.15.4-s.7

1.15.4-s.6

1.15.4-s.5

1.15.4-s.4

1.15.4-s.3

1.15.4-s.2

1.15.4-s.1

1.15.4

1.15.4-s.0

1.15.3

1.15.3-s.1

1.15.3-s.0

1.15.2

1.15.1-s.1

1.15.1-s.0

1.15.1

1.15.0-s.5

1.15.0

1.15.0-s.4

1.15.0-s.3

1.15.0-s.2

1.15.0-s.1

1.15.0-s.0

1.15.0-rc.0

1.14.1-s.3

1.14.1-s.2

1.14.1-s.1

1.14.1-s.0

1.14.1

1.14.0-s.2

1.14.0

1.14.0-rc.0

1.13.1

1.13.1-s.0

1.13.0

1.13.0.s.0

1.13.0-rc.0

1.12.2-s.5

1.12.3

1.12.2-s.4

1.12.2-s.3

1.12.2-s.2

1.12.2-s.1

1.12.2

1.12.2-s.0

1.12.1

1.12.0

1.12.0-s.0

1.12.0-rc.0

1.11.1

1.11.1-s.0

1.11.0-s.5

1.11.0

1.11.0-s.4

1.11.0-s.3

1.11.0-s.2

1.11.0-s.1

1.11.0-s.0

1.10.3

1.10.2

1.10.1

1.10.0

1.9.4

1.9.3

1.9.2

1.9.1

1.9.0

1.8.0

1.7.3

1.7.2

1.7.1

1.7.0

1.6.2

1.6.1

1.6.0

1.5.1

1.5.0

1.4.0

1.3.2

1.3.1

1.3.0

1.2.0

1.1.0

1.0.1

1.0.0

1.0.0-beta.15

1.0.0-beta.14

1.0.0-beta.13

1.0.0-beta.12

1.0.0-beta.11

1.0.0-beta.10

1.0.0-beta.9

1.0.0-beta.8

1.0.0-beta.7

1.0.0-beta.6

1.0.0-beta.5

1.0.0-beta.4

1.0.0-beta.3

1.0.0-beta.2

1.0.0-beta.1

Labels

Clear labels

api

authentication

bug

config

dependencies

docker

documentation

enhancement

good first issue

help wanted

Improvement

Look Into

needs investigating

networking

new feature

non-critical bug

potential bug

pull-request

Mirrored from GitHub Pull Request

question

reverse proxy

Security

stale

ui

wontfix

No Label pull-request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/pangolin#3017