From 9251beba683ec8b7554ea25058d8479e2436250a Mon Sep 17 00:00:00 2001 From: jamey Date: Thu, 12 Feb 2026 14:46:07 +0000 Subject: [PATCH] fix ThemeHook gate to validate session token not just presence Check socket.assigns.current_scope (validated by mount_current_scope) instead of raw session token. Prevents stale/invalid session cookies from bypassing the site-live gate. Co-Authored-By: Claude Opus 4.6 --- lib/simpleshop_theme_web/theme_hook.ex | 5 +++-- .../live/shop/coming_soon_test.exs | 10 ++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/lib/simpleshop_theme_web/theme_hook.ex b/lib/simpleshop_theme_web/theme_hook.ex index 5f0e8f0..f085533 100644 --- a/lib/simpleshop_theme_web/theme_hook.ex +++ b/lib/simpleshop_theme_web/theme_hook.ex @@ -42,12 +42,13 @@ defmodule SimpleshopThemeWeb.ThemeHook do {:cont, socket} end - def on_mount(:require_site_live, _params, session, socket) do + def on_mount(:require_site_live, _params, _session, socket) do cond do Settings.site_live?() -> {:cont, socket} - session["user_token"] -> + # mount_current_scope runs first, so current_scope is already validated + socket.assigns[:current_scope] && socket.assigns.current_scope.user -> {:cont, socket} not SimpleshopTheme.Accounts.has_admin?() -> diff --git a/test/simpleshop_theme_web/live/shop/coming_soon_test.exs b/test/simpleshop_theme_web/live/shop/coming_soon_test.exs index eb1dc34..a3e80f0 100644 --- a/test/simpleshop_theme_web/live/shop/coming_soon_test.exs +++ b/test/simpleshop_theme_web/live/shop/coming_soon_test.exs @@ -56,6 +56,16 @@ defmodule SimpleshopThemeWeb.Shop.ComingSoonTest do assert {:error, {:redirect, %{to: "/users/register"}}} = live(conn, ~p"/") end + test "redirects when session token is stale (user deleted)", %{conn: conn} do + user = user_fixture() + conn = log_in_user(conn, user) + + # Delete the user — session cookie is now stale + SimpleshopTheme.Repo.delete!(user) + + assert {:error, {:redirect, %{to: "/users/register"}}} = live(conn, ~p"/") + end + test "gates all public shop routes", %{conn: conn} do user_fixture()