server/auth: prioritize customer session over web session

frankie567 · frankie567 · commit 875a6b2736cd · 2025-01-14T11:25:45.000+01:00
We found out that users were troubled by the fact that their own customer portal was showing up instead of the one tied to the customer session token that was present in the URL.

With this change, if the backend finds a valid customer session token, it uses it instead of the web cookie session, correctly showing the customer we're trying to see instead of the authenticated user.
diff --git a/server/polar/auth/dependencies.py b/server/polar/auth/dependencies.py
@@ -40,14 +40,23 @@ async def get_user_session(
 
 
 async def _get_auth_subject(
+    customer_session_credentials: tuple[CustomerSession | None, bool] = (None, False),
     user_session: UserSession | None = None,
     oauth2_credentials: tuple[OAuth2Token | None, bool] = (None, False),
     personal_access_token_credentials: tuple[PersonalAccessToken | None, bool] = (
         None,
         False,
     ),
-    customer_session_credentials: tuple[CustomerSession | None, bool] = (None, False),
 ) -> AuthSubject[Subject]:
+    # Customer session is prioritized over web session
+    customer_session, customer_session_authorization_set = customer_session_credentials
+    if customer_session:
+        return AuthSubject(
+            customer_session.customer,
+            {Scope.customer_portal_write},
+            AuthMethod.CUSTOMER_SESSION_TOKEN,
+        )
+
     # Web session
     if user_session is not None:
         user = user_session.user
@@ -64,7 +73,6 @@ async def _get_auth_subject(
     personal_access_token, personal_access_token_authorization_set = (
         personal_access_token_credentials
     )
-    customer_session, customer_session_authorization_set = customer_session_credentials
 
     if oauth2_token:
         return AuthSubject(
@@ -78,13 +86,6 @@ async def _get_auth_subject(
             AuthMethod.PERSONAL_ACCESS_TOKEN,
         )
 
-    if customer_session:
-        return AuthSubject(
-            customer_session.customer,
-            {Scope.customer_portal_write},
-            AuthMethod.CUSTOMER_SESSION_TOKEN,
-        )
-
     if any(
         (
             oauth2_authorization_set,
