// KillSession deletes a session for an existing user account based on
// the session token
func (a *AuthAPI) KillSession(params *api.Request) api.Response {
sessionToken, found := filter.GetStringParameter("token", params.Form)
if !found || len(sessionToken) == 0 {
return api.BadRequest(ErrTokenNotSpecified)
}
session, err := cookies.GetSession(sessionToken)
if err != nil {
return api.InternalServerError(err)
}
err = session.Delete()
if err != nil {
return api.InternalServerError(err)
}
return api.StatusResponse(http.StatusOK)
}
// Authorize tries to authorize an existing gostToken
func Authorize(httpHeader http.Header) (*identity.Identity, error) {
ghostToken, err := extractGhostToken(httpHeader)
if err != nil {
if err == errAnonymousUser {
return identity.NewAnonymous(), nil
}
return nil, err
}
encryptedToken, err := util.Decode([]byte(ghostToken))
if err != nil {
return nil, err
}
jsonToken, err := security.Decrypt(encryptedToken)
if err != nil {
return nil, err
}
cookie := new(cookies.Session)
err = util.DeserializeJSON(jsonToken, cookie)
if err != nil {
return nil, err
}
dbCookie, err := cookies.GetSession(cookie.Token)
if err != nil || dbCookie == nil {
return nil, ErrDeactivatedUser
}
if !identity.IsUserActivated(dbCookie.UserID) {
return nil, ErrDeactivatedUser
}
go dbCookie.ResetToken()
return identity.New(dbCookie), nil
}