Skip to content

odrs: Generate user_skey from the response app_id

Philip Withnall requested to merge pwithnall/odrs-web:user_skey-fixes2 into master

This is almost entirely based on an investigation by Milan Crha, who deserves the credit for this fix: GNOME/gnome-software#1010 (comment 1405055).

Previously, the user_skey in each review returned by the fetch endpoint was being generated from the user_hash and app_id in the HTTP request.

That doesn’t work if the returned reviews cover multiple app IDs, as can happen when compat_ids are used. For example, my cached ~/.cache/gnome-software/odrs/org.gnome.Weather.json file contains reviews with app_ids set to:

  • org.gnome.Weather
  • org.gnome.Weather.Application.desktop
  • org.gnome.Weather.desktop

The user_skey associated with all of them is identical, and is only valid for ID org.gnome.Weather.

Fix this by generating a user_skey to match the app_id in each returned review. Continue to use the user_hash provided in the HTTP request, so the user_skey continues to be unique to the requesting user.

Signed-off-by: Philip Withnall pwithnall@endlessos.org

Edited by Philip Withnall

Merge request reports