jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

api keys: require reauthentication when working with API keys.

Browse Source 
Require the user to re-enter their password before they can view,
create, update, or delete their API keys.

This works by tracking the timestamp of the user's last password
re-entry in a `last_authenticated_at` session cookie, and redirecting
the user to a password confirmation page if they haven't re-entered
their password in the last hour.

This is modeled after Github's Sudo mode.
This commit is contained in:
evazion
2021-02-15 00:09:12 -06:00
parent d99985160a
commit 3d01febcf7
7 changed files with 42 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/logical/session_loader.rb
View File

@@ -14,6 +14,7 @@ class SessionLoader
if user.present? && user.authenticate_password(password)
session[:user_id] = user.id
session[:last_authenticated_at] = Time.now.utc.to_s
UserEvent.build_from_request(user, :login, request)
user.last_logged_in_at = Time.now
@@ -31,6 +32,7 @@ class SessionLoader
def logout
session.delete(:user_id)
session.delete(:last_authenticated_at)
return if CurrentUser.user.is_anonymous?
UserEvent.create_from_request!(CurrentUser.user, :logout, request)
end