From 6f698f3f9c394c6f686fe563c1cc56861f7dc900 Mon Sep 17 00:00:00 2001
From: justcool393 <justcool393@gmail.com>
Date: Sat, 26 Nov 2022 18:32:52 -0600
Subject: [PATCH] fix session bug

---
 files/routes/allroutes.py |  4 +++-
 files/routes/wrappers.py  | 26 +++++++++++---------------
 2 files changed, 14 insertions(+), 16 deletions(-)

diff --git a/files/routes/allroutes.py b/files/routes/allroutes.py
index 6f19c5e9b..e6b4e3a1e 100644
--- a/files/routes/allroutes.py
+++ b/files/routes/allroutes.py
@@ -43,7 +43,9 @@ def before_request():
 	request.full_path = request.full_path.rstrip('?').rstrip('/')
 	if not request.full_path: request.full_path = '/'
 
-	session_init()
+	if not session.get("session_id"):
+		session.permanent = True
+		session["session_id"] = secrets.token_hex(49)
 
 
 @app.after_request
diff --git a/files/routes/wrappers.py b/files/routes/wrappers.py
index 7a979058e..8255703ef 100644
--- a/files/routes/wrappers.py
+++ b/files/routes/wrappers.py
@@ -12,17 +12,13 @@ from files.helpers.settings import get_setting
 from files.routes.routehelpers import validate_formkey
 from files.__main__ import app, cache, db_session, limiter
 
-def session_init():
-	if not session.get("session_id"):
-		session.permanent = True
-		session["session_id"] = secrets.token_hex(49)
 
 def calc_users(v):
+	if not g.is_api_or_xhr: return
 	loggedin = cache.get(f'{SITE}_loggedin') or {}
 	loggedout = cache.get(f'{SITE}_loggedout') or {}
 	timestamp = int(time.time())
 
-	session_init()
 	if v:
 		if session["session_id"] in loggedout: del loggedout[session["session_id"]]
 		loggedin[v.id] = timestamp
@@ -48,7 +44,7 @@ def get_logged_in_user():
 	token = request.headers.get("Authorization","").strip()
 	if token:
 		client = g.db.query(ClientAuth).filter(ClientAuth.access_token == token).one_or_none()
-		if client: 
+		if client:
 			v = client.user
 			v.client = client
 	else:
@@ -57,19 +53,19 @@ def get_logged_in_user():
 			id = int(lo_user)
 			v = get_account(id, graceful=True)
 			if not v:
-				session.clear()
-				return None
+				session.pop("lo_user")
+				v = None
 			else:
 				nonce = session.get("login_nonce", 0)
 				if nonce < v.login_nonce or v.id != id:
-					session.clear()
-					return None
+					session.pop("lo_user")
+					v = None
 
-				if request.method != "GET":
-					submitted_key = request.values.get("formkey")
-					if not validate_formkey(v, submitted_key): abort(401)
-
-				v.client = None
+				if v:
+					if request.method != "GET":
+						submitted_key = request.values.get("formkey")
+						if not validate_formkey(v, submitted_key): abort(401)
+					v.client = None
 	g.is_api_or_xhr = bool((v and v.client) or request.headers.get("xhr"))
 
 	if request.method.lower() != "get" and get_setting('Read-only mode') and not (v and v.admin_level >= PERMS['SITE_BYPASS_READ_ONLY_MODE']):