Expire nonce on register

2019-03-20 11:01:54 -05:00 · 2019-03-20 11:01:54 -05:00 · 6e51189d4d
parent f1d7aa09e4
commit 6e51189d4d
3 changed files with 17 additions and 10 deletions
--- a/src/invidious.cr
+++ b/src/invidious.cr
@ -1795,9 +1795,9 @@ post "/delete_account" do |env|
    end

    view_name = "subscriptions_#{sha256(user.email)[0..7]}"
-    PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}")
    PG_DB.exec("DELETE FROM users * WHERE email = $1", user.email)
    PG_DB.exec("DELETE FROM session_ids * WHERE email = $1", user.email)
+    PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}")

    env.request.cookies.each do |cookie|
      cookie.expires = Time.new(1990, 1, 1)
--- a/src/invidious/jobs.cr
+++ b/src/invidious/jobs.cr
@ -132,12 +132,15 @@ def refresh_feeds(db, logger, max_threads = 1)
              db.exec("REFRESH MATERIALIZED VIEW #{view_name}")
            rescue ex
              # Create view if it doesn't exist
-              if ex.message.try &.ends_with? "does not exist"
-                db.exec("CREATE MATERIALIZED VIEW #{view_name} AS \
-                SELECT * FROM channel_videos WHERE \
-                ucid = ANY ((SELECT subscriptions FROM users WHERE email = E'#{email.gsub("'", "\\'")}')::text[]) \
-                ORDER BY published DESC;")
-                logger.write("CREATE #{view_name}")
+              if ex.message.try &.ends_with?("does not exist")
+                # While iterating through, we may have an email stored from a deleted account
+                if db.query_one?("SELECT true FROM users WHERE email = $1", email, as: Bool)
+                  db.exec("CREATE MATERIALIZED VIEW #{view_name} AS \
+                  SELECT * FROM channel_videos WHERE \
+                  ucid = ANY ((SELECT subscriptions FROM users WHERE email = E'#{email.gsub("'", "\\'")}')::text[]) \
+                  ORDER BY published DESC;")
+                  logger.write("CREATE #{view_name}")
+                end
              else
                logger.write("REFRESH #{email} : #{ex.message}\n")
              end
--- a/src/invidious/users.cr
+++ b/src/invidious/users.cr
@ -255,8 +255,12 @@ def validate_response(challenge, token, user_id, operation, key, db, locale)
  challenge = OpenSSL::HMAC.digest(:sha256, key, challenge)
  challenge = Base64.urlsafe_encode(challenge)

-  if db.query_one?("SELECT EXISTS (SELECT true FROM nonces WHERE nonce = $1)", nonce, as: Bool)
-    db.exec("DELETE FROM nonces * WHERE nonce = $1", nonce)
+  if nonce = db.query_one?("SELECT * FROM nonces WHERE nonce = $1", nonce, as: {String, Time})
+    if nonce[1] > Time.now
+       db.exec("UPDATE nonces SET expire = $1 WHERE nonce = $2", Time.new(1990, 1, 1), nonce[0])
+    else
+      raise translate(locale, "Invalid token")
+    end
  else
    raise translate(locale, "Invalid token")
  end
@ -270,7 +274,7 @@ def validate_response(challenge, token, user_id, operation, key, db, locale)
  end

  if challenge_user_id != user_id
-    raise translate(locale, "Invalid user")
+    raise translate(locale, "Invalid token")
  end

  if expire < Time.now.to_unix