From 6e51189d4dab6f3e3ee3f5eb6738a08d300a5753 Mon Sep 17 00:00:00 2001
From: Omar Roth <omarroth@hotmail.com>
Date: Wed, 20 Mar 2019 11:01:54 -0500
Subject: [PATCH] Expire nonce on register

---
 src/invidious.cr       |  2 +-
 src/invidious/jobs.cr  | 15 +++++++++------
 src/invidious/users.cr | 10 +++++++---
 3 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/src/invidious.cr b/src/invidious.cr
index e3c23d8d..af810bd2 100644
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -1795,9 +1795,9 @@ post "/delete_account" do |env|
     end
 
     view_name = "subscriptions_#{sha256(user.email)[0..7]}"
-    PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}")
     PG_DB.exec("DELETE FROM users * WHERE email = $1", user.email)
     PG_DB.exec("DELETE FROM session_ids * WHERE email = $1", user.email)
+    PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}")
 
     env.request.cookies.each do |cookie|
       cookie.expires = Time.new(1990, 1, 1)
diff --git a/src/invidious/jobs.cr b/src/invidious/jobs.cr
index 50374601..d55d8a40 100644
--- a/src/invidious/jobs.cr
+++ b/src/invidious/jobs.cr
@@ -132,12 +132,15 @@ def refresh_feeds(db, logger, max_threads = 1)
               db.exec("REFRESH MATERIALIZED VIEW #{view_name}")
             rescue ex
               # Create view if it doesn't exist
-              if ex.message.try &.ends_with? "does not exist"
-                db.exec("CREATE MATERIALIZED VIEW #{view_name} AS \
-                SELECT * FROM channel_videos WHERE \
-                ucid = ANY ((SELECT subscriptions FROM users WHERE email = E'#{email.gsub("'", "\\'")}')::text[]) \
-                ORDER BY published DESC;")
-                logger.write("CREATE #{view_name}")
+              if ex.message.try &.ends_with?("does not exist")
+                # While iterating through, we may have an email stored from a deleted account
+                if db.query_one?("SELECT true FROM users WHERE email = $1", email, as: Bool)
+                  db.exec("CREATE MATERIALIZED VIEW #{view_name} AS \
+                  SELECT * FROM channel_videos WHERE \
+                  ucid = ANY ((SELECT subscriptions FROM users WHERE email = E'#{email.gsub("'", "\\'")}')::text[]) \
+                  ORDER BY published DESC;")
+                  logger.write("CREATE #{view_name}")
+                end
               else
                 logger.write("REFRESH #{email} : #{ex.message}\n")
               end
diff --git a/src/invidious/users.cr b/src/invidious/users.cr
index 1131c77e..d7b0e14c 100644
--- a/src/invidious/users.cr
+++ b/src/invidious/users.cr
@@ -255,8 +255,12 @@ def validate_response(challenge, token, user_id, operation, key, db, locale)
   challenge = OpenSSL::HMAC.digest(:sha256, key, challenge)
   challenge = Base64.urlsafe_encode(challenge)
 
-  if db.query_one?("SELECT EXISTS (SELECT true FROM nonces WHERE nonce = $1)", nonce, as: Bool)
-    db.exec("DELETE FROM nonces * WHERE nonce = $1", nonce)
+  if nonce = db.query_one?("SELECT * FROM nonces WHERE nonce = $1", nonce, as: {String, Time})
+    if nonce[1] > Time.now
+       db.exec("UPDATE nonces SET expire = $1 WHERE nonce = $2", Time.new(1990, 1, 1), nonce[0])
+    else
+      raise translate(locale, "Invalid token")
+    end
   else
     raise translate(locale, "Invalid token")
   end
@@ -270,7 +274,7 @@ def validate_response(challenge, token, user_id, operation, key, db, locale)
   end
 
   if challenge_user_id != user_id
-    raise translate(locale, "Invalid user")
+    raise translate(locale, "Invalid token")
   end
 
   if expire < Time.now.to_unix