Expire nonce on register

This commit is contained in:
Omar Roth 2019-03-20 11:01:54 -05:00
parent f1d7aa09e4
commit 6e51189d4d
3 changed files with 17 additions and 10 deletions

View file

@ -1795,9 +1795,9 @@ post "/delete_account" do |env|
end
view_name = "subscriptions_#{sha256(user.email)[0..7]}"
PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}")
PG_DB.exec("DELETE FROM users * WHERE email = $1", user.email)
PG_DB.exec("DELETE FROM session_ids * WHERE email = $1", user.email)
PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}")
env.request.cookies.each do |cookie|
cookie.expires = Time.new(1990, 1, 1)

View file

@ -132,12 +132,15 @@ def refresh_feeds(db, logger, max_threads = 1)
db.exec("REFRESH MATERIALIZED VIEW #{view_name}")
rescue ex
# Create view if it doesn't exist
if ex.message.try &.ends_with? "does not exist"
if ex.message.try &.ends_with?("does not exist")
# While iterating through, we may have an email stored from a deleted account
if db.query_one?("SELECT true FROM users WHERE email = $1", email, as: Bool)
db.exec("CREATE MATERIALIZED VIEW #{view_name} AS \
SELECT * FROM channel_videos WHERE \
ucid = ANY ((SELECT subscriptions FROM users WHERE email = E'#{email.gsub("'", "\\'")}')::text[]) \
ORDER BY published DESC;")
logger.write("CREATE #{view_name}")
end
else
logger.write("REFRESH #{email} : #{ex.message}\n")
end

View file

@ -255,8 +255,12 @@ def validate_response(challenge, token, user_id, operation, key, db, locale)
challenge = OpenSSL::HMAC.digest(:sha256, key, challenge)
challenge = Base64.urlsafe_encode(challenge)
if db.query_one?("SELECT EXISTS (SELECT true FROM nonces WHERE nonce = $1)", nonce, as: Bool)
db.exec("DELETE FROM nonces * WHERE nonce = $1", nonce)
if nonce = db.query_one?("SELECT * FROM nonces WHERE nonce = $1", nonce, as: {String, Time})
if nonce[1] > Time.now
db.exec("UPDATE nonces SET expire = $1 WHERE nonce = $2", Time.new(1990, 1, 1), nonce[0])
else
raise translate(locale, "Invalid token")
end
else
raise translate(locale, "Invalid token")
end
@ -270,7 +274,7 @@ def validate_response(challenge, token, user_id, operation, key, db, locale)
end
if challenge_user_id != user_id
raise translate(locale, "Invalid user")
raise translate(locale, "Invalid token")
end
if expire < Time.now.to_unix