Expire nonce on register

This commit is contained in:
Omar Roth 2019-03-20 11:01:54 -05:00
parent f1d7aa09e4
commit 6e51189d4d
3 changed files with 17 additions and 10 deletions

View File

@ -1795,9 +1795,9 @@ post "/delete_account" do |env|
end end
view_name = "subscriptions_#{sha256(user.email)[0..7]}" view_name = "subscriptions_#{sha256(user.email)[0..7]}"
PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}")
PG_DB.exec("DELETE FROM users * WHERE email = $1", user.email) PG_DB.exec("DELETE FROM users * WHERE email = $1", user.email)
PG_DB.exec("DELETE FROM session_ids * WHERE email = $1", user.email) PG_DB.exec("DELETE FROM session_ids * WHERE email = $1", user.email)
PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}")
env.request.cookies.each do |cookie| env.request.cookies.each do |cookie|
cookie.expires = Time.new(1990, 1, 1) cookie.expires = Time.new(1990, 1, 1)

View File

@ -132,12 +132,15 @@ def refresh_feeds(db, logger, max_threads = 1)
db.exec("REFRESH MATERIALIZED VIEW #{view_name}") db.exec("REFRESH MATERIALIZED VIEW #{view_name}")
rescue ex rescue ex
# Create view if it doesn't exist # Create view if it doesn't exist
if ex.message.try &.ends_with? "does not exist" if ex.message.try &.ends_with?("does not exist")
# While iterating through, we may have an email stored from a deleted account
if db.query_one?("SELECT true FROM users WHERE email = $1", email, as: Bool)
db.exec("CREATE MATERIALIZED VIEW #{view_name} AS \ db.exec("CREATE MATERIALIZED VIEW #{view_name} AS \
SELECT * FROM channel_videos WHERE \ SELECT * FROM channel_videos WHERE \
ucid = ANY ((SELECT subscriptions FROM users WHERE email = E'#{email.gsub("'", "\\'")}')::text[]) \ ucid = ANY ((SELECT subscriptions FROM users WHERE email = E'#{email.gsub("'", "\\'")}')::text[]) \
ORDER BY published DESC;") ORDER BY published DESC;")
logger.write("CREATE #{view_name}") logger.write("CREATE #{view_name}")
end
else else
logger.write("REFRESH #{email} : #{ex.message}\n") logger.write("REFRESH #{email} : #{ex.message}\n")
end end

View File

@ -255,8 +255,12 @@ def validate_response(challenge, token, user_id, operation, key, db, locale)
challenge = OpenSSL::HMAC.digest(:sha256, key, challenge) challenge = OpenSSL::HMAC.digest(:sha256, key, challenge)
challenge = Base64.urlsafe_encode(challenge) challenge = Base64.urlsafe_encode(challenge)
if db.query_one?("SELECT EXISTS (SELECT true FROM nonces WHERE nonce = $1)", nonce, as: Bool) if nonce = db.query_one?("SELECT * FROM nonces WHERE nonce = $1", nonce, as: {String, Time})
db.exec("DELETE FROM nonces * WHERE nonce = $1", nonce) if nonce[1] > Time.now
db.exec("UPDATE nonces SET expire = $1 WHERE nonce = $2", Time.new(1990, 1, 1), nonce[0])
else
raise translate(locale, "Invalid token")
end
else else
raise translate(locale, "Invalid token") raise translate(locale, "Invalid token")
end end
@ -270,7 +274,7 @@ def validate_response(challenge, token, user_id, operation, key, db, locale)
end end
if challenge_user_id != user_id if challenge_user_id != user_id
raise translate(locale, "Invalid user") raise translate(locale, "Invalid token")
end end
if expire < Time.now.to_unix if expire < Time.now.to_unix