From 8115c509746977a2c5591a28479a8fa2e64431ed Mon Sep 17 00:00:00 2001
From: Jason Streifling <jason@streifling.com>
Date: Sun, 18 Aug 2024 11:40:03 +0200
Subject: [PATCH] Fixed a bug that let users get around verification.

---
 cmd/frontend/verification.go | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/cmd/frontend/verification.go b/cmd/frontend/verification.go
index 7aded9b..9a62da5 100644
--- a/cmd/frontend/verification.go
+++ b/cmd/frontend/verification.go
@@ -1,6 +1,7 @@
 package frontend
 
 import (
+	"errors"
 	"html/template"
 	"net/http"
 
@@ -10,13 +11,19 @@ import (
 
 // getSession is used for verifying that the user is logged in and returns their session and an error.
 func getSession(w http.ResponseWriter, r *http.Request, c *b.Config, s *b.CookieStore) (*sessions.Session, error) {
+	msg := "Keine gültige Session. Bitte erneut anmelden."
+	tmpl, tmplErr := template.ParseFiles(c.WebDir+"/templates/index.html", c.WebDir+"/templates/login.html")
+
 	session, err := s.Get(r, "cookie")
 	if err != nil {
-		msg := "Session nicht mehr gültig. Bitte erneut anmelden."
-		tmpl, tmplErr := template.ParseFiles(c.WebDir + "/templates/login.html")
 		template.Must(tmpl, tmplErr).ExecuteTemplate(w, "page-content", msg)
 		return nil, err
 	}
 
+	if session.IsNew {
+		template.Must(tmpl, tmplErr).ExecuteTemplate(w, "page-content", msg)
+		return session, errors.New("error: no existing session")
+	}
+
 	return session, nil
 }