From: Stefan Sperling <stsp@stsp.name>
Subject: Re: gotwebd login status and logout link
To: Omar Polo <op@omarpolo.com>
Cc: gameoftrees@openbsd.org
Date: Mon, 9 Feb 2026 15:39:16 +0100

On Sat, Feb 07, 2026 at 09:15:45PM +0100, Omar Polo wrote:
> > +	/*
> > +	 * The www user ID represents the case where no authentication
> > +	 * occurred. This user must not be allowed to log in.
> > +	 */
> > +	if (uid == env->www_uid) {
> > +		error = got_error(GOT_ERR_LOGOUT_FAILED);
> > +		goto err;
> > +	}
> 
> this cannot happen actually?  or is just paranoid?

Indeed, it cannot happen unless the www UID somehow ends up in the range
managed by gotwebd, and if that user then manages to log in. Which
should not happen unless someone sets things up wrong.
It's just a sanity check, mostly to document the special assumptions
we make about this specific UID.