Be safer about removals from the active tokens list

2025-01-25 13:33:36 -06:00 · 2025-01-25 13:33:36 -06:00 · 228f430797
commit 228f430797
parent 6e12e28cd7
1 changed files with 14 additions and 5 deletions
--- a/cpp/web_server.cpp
+++ b/cpp/web_server.cpp
@ -80,21 +80,30 @@ WebServer::WebServer(QObject *parent) : QObject(parent) {}
 }

 [[nodiscard]] bool WebServer::validate_token(const QString& token) {
-    // Always 64 characters
+    // Validate token length
    if (token.size() != 64) return false;
-    // Can't validate the active token if there aren't any
+
+    // If there are no active tokens, validation fails
    if (_active_tokens.isEmpty()) return false;
-    // Always present in active_tokens, and not expired
+
+    // Check if the token exists in the active tokens map
    auto it = _active_tokens.find(token);
-    if (it != _active_tokens.end() && it.value() >= QDateTime::currentDateTime()) return true;
-    else {
+    if (it != _active_tokens.end()) {
+        // Check if the token is not expired
+        if (it.value() >= QDateTime::currentDateTime()) return true;
+
+        // Token is expired, erase it safely
        _active_tokens.erase(it);

+        // Also remove the token from the person map, if it exists
        auto person_it = _token_person.find(token);
        if (person_it != _token_person.end()) _token_person.erase(person_it);

        return false;
    }
+
+    // Token not found
+    return false;
 }

 [[nodiscard]] QHttpServerResponse WebServer::verify_session_token(const QHttpServerRequest &request, const QHttpHeaders &headers) {