From 61f13c67946e572387de8efc32907a4a0dae7a3f Mon Sep 17 00:00:00 2001
From: Shish <shish@shishnet.org>
Date: Thu, 20 Jun 2024 01:07:34 +0100
Subject: [PATCH] [core] have User::by_session() check session ID on the PHP
 side

Generating the token on the PHP side is more consistent than getting the databases to do it
---
 core/user.php | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/core/user.php b/core/user.php
index e4010e4e..c41a067e 100644
--- a/core/user.php
+++ b/core/user.php
@@ -83,14 +83,15 @@ class User
     public static function by_session(string $name, string $session): ?User
     {
         global $cache, $config, $database;
-        $row = $cache->get("user-session:$name-$session");
-        if (is_null($row)) {
-            $args = ["name" => $name, "ip" => get_session_ip($config), "sess" => $session];
-            $query = "SELECT * FROM users WHERE name = :name AND md5(pass || :ip) = :sess";
-            $row = $database->get_row($query, $args);
-            $cache->set("user-session:$name-$session", $row, 600);
+        $user = $cache->get("user-session-obj:$name-$session");
+        if (is_null($user)) {
+            $user_by_name = User::by_name($name);
+            if($user_by_name->get_session_id() === $session) {
+                $user = $user_by_name;
+            }
+            $cache->set("user-session-obj:$name-$session", $user, 600);
         }
-        return is_null($row) ? null : new User($row);
+        return $user;
     }
 
     public static function by_id(int $id): ?User