mirror of
https://gitea.invidious.io/iv-org/invidious-copy-2023-06-08.git
synced 2024-08-15 00:53:38 +00:00
Expire nonce on register
This commit is contained in:
parent
f1d7aa09e4
commit
6e51189d4d
3 changed files with 17 additions and 10 deletions
|
@ -1795,9 +1795,9 @@ post "/delete_account" do |env|
|
|||
end
|
||||
|
||||
view_name = "subscriptions_#{sha256(user.email)[0..7]}"
|
||||
PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}")
|
||||
PG_DB.exec("DELETE FROM users * WHERE email = $1", user.email)
|
||||
PG_DB.exec("DELETE FROM session_ids * WHERE email = $1", user.email)
|
||||
PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}")
|
||||
|
||||
env.request.cookies.each do |cookie|
|
||||
cookie.expires = Time.new(1990, 1, 1)
|
||||
|
|
|
@ -132,12 +132,15 @@ def refresh_feeds(db, logger, max_threads = 1)
|
|||
db.exec("REFRESH MATERIALIZED VIEW #{view_name}")
|
||||
rescue ex
|
||||
# Create view if it doesn't exist
|
||||
if ex.message.try &.ends_with? "does not exist"
|
||||
db.exec("CREATE MATERIALIZED VIEW #{view_name} AS \
|
||||
SELECT * FROM channel_videos WHERE \
|
||||
ucid = ANY ((SELECT subscriptions FROM users WHERE email = E'#{email.gsub("'", "\\'")}')::text[]) \
|
||||
ORDER BY published DESC;")
|
||||
logger.write("CREATE #{view_name}")
|
||||
if ex.message.try &.ends_with?("does not exist")
|
||||
# While iterating through, we may have an email stored from a deleted account
|
||||
if db.query_one?("SELECT true FROM users WHERE email = $1", email, as: Bool)
|
||||
db.exec("CREATE MATERIALIZED VIEW #{view_name} AS \
|
||||
SELECT * FROM channel_videos WHERE \
|
||||
ucid = ANY ((SELECT subscriptions FROM users WHERE email = E'#{email.gsub("'", "\\'")}')::text[]) \
|
||||
ORDER BY published DESC;")
|
||||
logger.write("CREATE #{view_name}")
|
||||
end
|
||||
else
|
||||
logger.write("REFRESH #{email} : #{ex.message}\n")
|
||||
end
|
||||
|
|
|
@ -255,8 +255,12 @@ def validate_response(challenge, token, user_id, operation, key, db, locale)
|
|||
challenge = OpenSSL::HMAC.digest(:sha256, key, challenge)
|
||||
challenge = Base64.urlsafe_encode(challenge)
|
||||
|
||||
if db.query_one?("SELECT EXISTS (SELECT true FROM nonces WHERE nonce = $1)", nonce, as: Bool)
|
||||
db.exec("DELETE FROM nonces * WHERE nonce = $1", nonce)
|
||||
if nonce = db.query_one?("SELECT * FROM nonces WHERE nonce = $1", nonce, as: {String, Time})
|
||||
if nonce[1] > Time.now
|
||||
db.exec("UPDATE nonces SET expire = $1 WHERE nonce = $2", Time.new(1990, 1, 1), nonce[0])
|
||||
else
|
||||
raise translate(locale, "Invalid token")
|
||||
end
|
||||
else
|
||||
raise translate(locale, "Invalid token")
|
||||
end
|
||||
|
@ -270,7 +274,7 @@ def validate_response(challenge, token, user_id, operation, key, db, locale)
|
|||
end
|
||||
|
||||
if challenge_user_id != user_id
|
||||
raise translate(locale, "Invalid user")
|
||||
raise translate(locale, "Invalid token")
|
||||
end
|
||||
|
||||
if expire < Time.now.to_unix
|
||||
|
|
Loading…
Reference in a new issue