jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

api keys: require reauthentication when working with API keys.

Browse Source 
Require the user to re-enter their password before they can view,
create, update, or delete their API keys.

This works by tracking the timestamp of the user's last password
re-entry in a `last_authenticated_at` session cookie, and redirecting
the user to a password confirmation page if they haven't re-entered
their password in the last hour.

This is modeled after Github's Sudo mode.
This commit is contained in:
evazion
2021-02-15 00:09:12 -06:00
parent d99985160a
commit 3d01febcf7
7 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
app/controllers/application_controller.rb
View File

@@ -189,6 +189,15 @@ class ApplicationController < ActionController::Base
params.fetch(PolicyFinder.new(record).param_key, {})
end
def requires_reauthentication
return if CurrentUser.user.is_anonymous?
last_authenticated_at = session[:last_authenticated_at]
if last_authenticated_at.blank? || Time.parse(last_authenticated_at) < 60.minutes.ago
redirect_to confirm_password_session_path(url: request.fullpath)
end
end
# Remove blank `search` params from the url.
#
# /tags?search[name]=touhou&search[category]=&search[order]=