From 2ca861596443192b46f6caefe33dad74fcc24009 Mon Sep 17 00:00:00 2001
From: Marius David Wieschollek <passwords.public@mdns.eu>
Date: Sat, 16 Jan 2021 21:05:31 +0100
Subject: Fix session overwrite from cached results

Signed-off-by: Marius David Wieschollek <passwords.public@mdns.eu>
---
 src/Model/Session/Session.js |  1 +
 src/Network/ApiRequest.js    | 22 +++++++++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

(limited to 'src')

diff --git a/src/Model/Session/Session.js b/src/Model/Session/Session.js
index f01f398..5a02bac 100644
--- a/src/Model/Session/Session.js
+++ b/src/Model/Session/Session.js
@@ -21,6 +21,7 @@ export default class Session {
      */
     setId(value) {
         this._id = value;
+        this._authorized = false;
 
         return this;
     }
diff --git a/src/Network/ApiRequest.js b/src/Network/ApiRequest.js
index 1c0dd1a..1e975af 100644
--- a/src/Network/ApiRequest.js
+++ b/src/Network/ApiRequest.js
@@ -126,7 +126,7 @@ export default class ApiRequest {
             .setHttpStatus(httpResponse.status)
             .setHttpResponse(httpResponse);
 
-        this._session.setId(httpResponse.headers.get('x-api-session'));
+        this._updateSessionId(httpResponse);
 
         if(this._responseType !== null && contentType && contentType.indexOf(this._responseType) === -1) {
             let error = this._api.getClass('exception.contenttype', this._responseType, contentType, httpResponse);
@@ -143,6 +143,26 @@ export default class ApiRequest {
         return response;
     }
 
+    /**
+     *
+     * @param httpResponse
+     * @private
+     */
+    _updateSessionId(httpResponse) {
+        if(httpResponse.headers.has('x-api-session')) {
+            if(httpResponse.headers.has('cache-control') && httpResponse.headers.get('cache-control').indexOf('immutable') !== -1) return;
+            if(httpResponse.headers.has('pragma') && httpResponse.headers.get('pragma') === 'cache') return;
+
+            if(httpResponse.headers.has('date')) {
+                let date = new Date(httpResponse.headers.get('date')),
+                    now  = Date.now() - 300000;
+                if(date.getTime() < now) return;
+            }
+
+            this._session.setId(httpResponse.headers.get('x-api-session'));
+        }
+    }
+
     /**
      *
      * @return {{redirect: string, headers: Headers, method: string, credentials: string}}
-- 
cgit v1.2.3