sessions: check idp id to detect provider changes to force session invalidation (#3707)

* sessions: check idp id to detect provider changes to force session invalidation

* remove dead code

* fix test

internal/sessions/middleware.go

@@ -2,7 +2,6 @@ package sessions
 
 import (
 	"context"
-	"errors"
 	"net/http"
 )
 
@@ -14,17 +13,17 @@ var (
 
 // RetrieveSession takes a slice of session loaders and tries to find a valid
 // session in the order they were supplied and is added to the request's context
-func RetrieveSession(s ...SessionLoader) func(http.Handler) http.Handler {
+func RetrieveSession(s SessionLoader) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
-		return retrieve(s...)(next)
+		return retrieve(s)(next)
 	}
 }
 
-func retrieve(s ...SessionLoader) func(http.Handler) http.Handler {
+func retrieve(s SessionLoader) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		hfn := func(w http.ResponseWriter, r *http.Request) {
 			ctx := r.Context()
-			jwt, err := retrieveFromRequest(r, s...)
+			jwt, err := s.LoadSession(r)
 			ctx = NewContext(ctx, jwt, err)
 			next.ServeHTTP(w, r.WithContext(ctx))
 		}
@@ -32,21 +31,6 @@ func retrieve(s ...SessionLoader) func(http.Handler) http.Handler {
 	}
 }
 
-// retrieveFromRequest extracts sessions state from the request by calling
-// token find functions in the order they where provided.
-func retrieveFromRequest(r *http.Request, sessions ...SessionLoader) (string, error) {
-	for _, s := range sessions {
-		jwt, err := s.LoadSession(r)
-		if err != nil && !errors.Is(err, ErrNoSessionFound) {
-			return "", err
-		} else if err == nil {
-			return jwt, nil
-		}
-	}
-
-	return "", ErrNoSessionFound
-}
-
 // NewContext sets context values for the user session state and error.
 func NewContext(ctx context.Context, jwt string, err error) context.Context {
 	ctx = context.WithValue(ctx, SessionCtxKey, jwt)