fix ThemeHook gate to validate session token not just presence

Check socket.assigns.current_scope (validated by mount_current_scope) instead of raw session token. Prevents stale/invalid session cookies from bypassing the site-live gate. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-12 14:46:07 +00:00 · 2026-02-12 14:46:07 +00:00 · 9251beba68
commit 9251beba68
parent 2cc8c4a9cb
2 changed files with 13 additions and 2 deletions
--- a/lib/simpleshop_theme_web/theme_hook.ex
+++ b/lib/simpleshop_theme_web/theme_hook.ex
@ -42,12 +42,13 @@ defmodule SimpleshopThemeWeb.ThemeHook do
    {:cont, socket}
  end

-  def on_mount(:require_site_live, _params, session, socket) do
+  def on_mount(:require_site_live, _params, _session, socket) do
    cond do
      Settings.site_live?() ->
        {:cont, socket}

-      session["user_token"] ->
+      # mount_current_scope runs first, so current_scope is already validated
+      socket.assigns[:current_scope] && socket.assigns.current_scope.user ->
        {:cont, socket}

      not SimpleshopTheme.Accounts.has_admin?() ->
--- a/test/simpleshop_theme_web/live/shop/coming_soon_test.exs
+++ b/test/simpleshop_theme_web/live/shop/coming_soon_test.exs
@ -56,6 +56,16 @@ defmodule SimpleshopThemeWeb.Shop.ComingSoonTest do
      assert {:error, {:redirect, %{to: "/users/register"}}} = live(conn, ~p"/")
    end

+    test "redirects when session token is stale (user deleted)", %{conn: conn} do
+      user = user_fixture()
+      conn = log_in_user(conn, user)
+
+      # Delete the user — session cookie is now stale
+      SimpleshopTheme.Repo.delete!(user)
+
+      assert {:error, {:redirect, %{to: "/users/register"}}} = live(conn, ~p"/")
+    end
+
    test "gates all public shop routes", %{conn: conn} do
      user_fixture()