fixed viewing invisible releases with admin session

controller/account.go

@@ -2,7 +2,6 @@ package controller
 
 import (
 	"arimelody-web/model"
-	"net/http"
 	"strings"
 
 	"github.com/jmoiron/sqlx"
@@ -77,19 +76,6 @@ func GetAccountBySession(db *sqlx.DB, sessionToken string) (*model.Account, erro
     return &account, nil
 }
 
-func GetSessionFromRequest(db *sqlx.DB, r *http.Request) string {
-    tokenStr := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
-    if len(tokenStr) > 0 {
-        return tokenStr
-    }
-
-    cookie, err := r.Cookie(model.COOKIE_TOKEN)
-    if err != nil {
-        return ""
-    }
-    return cookie.Value
-}
-
 func CreateAccount(db *sqlx.DB, account *model.Account) error {
     err := db.Get(
         &account.ID,

controller/session.go

@@ -2,6 +2,10 @@ package controller
 
 import (
 	"database/sql"
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
 	"time"
 
 	"arimelody-web/model"
@@ -11,6 +15,30 @@ import (
 
 const TOKEN_LEN = 64
 
+func GetSessionFromRequest(db *sqlx.DB, r *http.Request) (*model.Session, error) {
+    sessionCookie, err := r.Cookie(model.COOKIE_TOKEN)
+    if err != nil && err != http.ErrNoCookie {
+        return nil, errors.New(fmt.Sprintf("Failed to retrieve session cookie: %v", err))
+    }
+
+    var session *model.Session
+
+    if sessionCookie != nil {
+        // fetch existing session
+        session, err = GetSession(db, sessionCookie.Value)
+
+        if err != nil && !strings.Contains(err.Error(), "no rows") {
+            return nil, errors.New(fmt.Sprintf("Failed to retrieve session: %v", err))
+        }
+
+        if session != nil {
+            // TODO: consider running security checks here (i.e. user agent mismatches)
+        }
+    }
+
+    return session, nil
+}
+
 func CreateSession(db *sqlx.DB, userAgent string) (*model.Session, error) {
     tokenString := GenerateAlnumString(TOKEN_LEN)