+static int xreq_session_check_apply_v2(struct afb_xreq *xreq, uint32_t sessionflags, const struct afb_auth *auth)
+{
+ int loa;
+
+ if (sessionflags != 0) {
+ if (!afb_context_check(&xreq->context)) {
+ afb_context_close(&xreq->context);
+ afb_xreq_fail_f(xreq, "denied", "invalid token's identity");
+ errno = EINVAL;
+ return -1;
+ }
+ }
+
+ loa = (int)(sessionflags & AFB_SESSION_LOA_MASK_V2);
+ if (loa && !afb_context_check_loa(&xreq->context, loa)) {
+ afb_xreq_fail_f(xreq, "denied", "invalid LOA");
+ errno = EPERM;
+ return -1;
+ }
+
+ if (auth && !afb_auth_check(auth, xreq)) {
+ afb_xreq_fail_f(xreq, "denied", "authorisation refused");
+ errno = EPERM;
+ return -1;
+ }
+
+ if ((sessionflags & AFB_SESSION_REFRESH_V2) != 0) {
+ afb_context_refresh(&xreq->context);
+ }
+ if ((sessionflags & AFB_SESSION_CLOSE_V2) != 0) {
+ afb_context_close(&xreq->context);
+ }
+
+ return 0;
+}
+