http: don't double-decode session cookie (#1290)

getodk · Nov 13, 2024 · 695fa2c · 695fa2c
1 parent 9e74cf5
commit 695fa2c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/lib/http/preprocessors.js b/lib/http/preprocessors.js
@@ -114,7 +114,7 @@ const authHandler = ({ Sessions, Users, Auth }, context) => {
 
     // actually try to authenticate with it. no Problem on failure. short circuit
     // out if we have a GET or HEAD request.
-    const maybeSession = authBySessionToken(decodeURIComponent(token));
+    const maybeSession = authBySessionToken(token);
     if ((context.method === 'GET') || (context.method === 'HEAD')) return maybeSession;
 
     // if non-GET run authentication as usual but we'll have to check CSRF afterwards.