refactor: validate session separately

OliverBooth/Controllers/AdminController.cs

@@ -69,7 +69,7 @@ public sealed class AdminController : ControllerBase
     [HttpGet("logout")]
     public IActionResult Logout()
     {
-        if (_sessionService.TryGetSession(Request, out ISession? session, true))
+        if (_sessionService.TryGetSession(Request, out ISession? session))
             _sessionService.DeleteSession(session);
 
         return _sessionService.DeleteSessionCookie(Response);

OliverBooth/Pages/Admin/Index.cshtml.cs

@@ -23,12 +23,18 @@ public class Index : PageModel
 
     public IActionResult OnGet()
     {
-        if (!_sessionService.TryGetSession(HttpContext.Request, out ISession? session))
+        if (!_sessionService.TryGetSession(Request, out ISession? session))
         {
             _logger.LogDebug("Session not found; redirecting");
             return _sessionService.DeleteSessionCookie(Response);
         }
 
+        if (!_sessionService.ValidateSession(Request, session))
+        {
+            _logger.LogDebug("Session invalid; redirecting");
+            return _sessionService.DeleteSessionCookie(Response);
+        }
+
         if (!_userService.TryGetUser(session.UserId, out IUser? user))
         {
             _logger.LogDebug("User not found; redirecting");

OliverBooth/Services/ISessionService.cs

@@ -1,4 +1,5 @@
 using System.Diagnostics.CodeAnalysis;
+using Microsoft.AspNetCore.Mvc;
 using OliverBooth.Data.Web;
 using ISession = OliverBooth.Data.Blog.ISession;
 
@@ -47,10 +48,20 @@ public interface ISessionService
     ///     When this method returns, contains the session with the specified request, if the user is found; otherwise,
     ///     <see langword="null" />.
     /// </param>
-    /// <param name="includeInvalid">
-    ///     <see langword="true" /> to include invalid sessions in the search; otherwise, <see langword="false" />.
-    /// </param>
     /// <returns><see langword="true" /> if the session was found; otherwise, <see langword="false" />.</returns>
     /// <exception cref="ArgumentNullException"><paramref name="request" /> is <see langword="null" />.</exception>
-    bool TryGetSession(HttpRequest request, [NotNullWhen(true)] out ISession? session, bool includeInvalid = false);
+    bool TryGetSession(HttpRequest request, [NotNullWhen(true)] out ISession? session);
-}
+
+    /// <summary>
+    ///     Validates the session with the incoming HTTP request.
+    /// </summary>
+    /// <param name="request">The HTTP request.</param>
+    /// <param name="session">The session.</param>
+    /// <returns><see langword="true" /> if the session is valid; otherwise, <see langword="false" />.</returns>
+    /// <exception cref="ArgumentNullException">
+    ///     <para><paramref name="request" /> is <see langword="null" />.</para>
+    ///     -or-
+    ///     <para><paramref name="session" /> is <see langword="null" />.</para>
+    /// </exception>
+    bool ValidateSession(HttpRequest request, ISession session);
+}

OliverBooth/Services/SessionService.cs

@@ -1,5 +1,6 @@
 using System.Diagnostics.CodeAnalysis;
 using System.Net;
+using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore.ChangeTracking;
 using OliverBooth.Data.Blog;
@@ -71,8 +72,7 @@ internal sealed class SessionService : ISessionService
     }
 
     /// <inheritdoc />
-    public bool TryGetSession(HttpRequest request, [NotNullWhen(true)] out ISession? session,
+    public bool TryGetSession(HttpRequest request, [NotNullWhen(true)] out ISession? session)
-        bool includeInvalid = false)
     {
         if (request is null) throw new ArgumentNullException(nameof(request));
 
@@ -88,12 +88,20 @@ internal sealed class SessionService : ISessionService
             return false;
 
         var sessionId = new Guid(bytes);
-        if (!TryGetSession(sessionId, out session))
+        return TryGetSession(sessionId, out session);
-            return false;
+    }
 
-        if (!includeInvalid && session.Expires >= DateTimeOffset.UtcNow)
+    /// <inheritdoc />
+    public bool ValidateSession(HttpRequest request, ISession session)
+    {
+        if (request is null) throw new ArgumentNullException(nameof(request));
+        if (session is null) throw new ArgumentNullException(nameof(session));
+
+        IPAddress? remoteIpAddress = request.HttpContext.Connection.RemoteIpAddress;
+        if (remoteIpAddress is null) return false;
+
+        if (session.Expires >= DateTimeOffset.UtcNow)
         {
-            session = null;
             return false;
         }
 
@@ -101,22 +109,13 @@ internal sealed class SessionService : ISessionService
         Span<byte> sessionAddressBytes = stackalloc byte[16];
         if (!remoteIpAddress.TryWriteBytes(remoteAddressBytes, out _) ||
             !session.IpAddress.TryWriteBytes(sessionAddressBytes, out _))
-        {
-            session = null;
             return false;
-        }
 
-        if (!includeInvalid && !remoteAddressBytes.SequenceEqual(sessionAddressBytes))
+        if (!remoteAddressBytes.SequenceEqual(sessionAddressBytes))
-        {
-            session = null;
             return false;
-        }
 
-        if (!includeInvalid && _userService.TryGetUser(session.UserId, out _))
+        if (_userService.TryGetUser(session.UserId, out _))
-        {
-            session = null;
             return false;
-        }
 
         return true;
     }