jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

sessions: remove legacy user_name / password_hash cookies.

Browse Source 
Remove support for logging in with the deprecated user_name /
password_hash cookies. Followup to 320ff01e0.
This commit is contained in:
evazion
2020-03-25 03:01:43 -05:00
parent 4b1114b4a4
commit 9e455695a1
6 changed files with 1 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/maintenance/user/deletions_controller.rb
View File

@@ -8,8 +8,6 @@ module Maintenance
deletion = UserDeletion.new(CurrentUser.user, params[:password]) deletion = UserDeletion.new(CurrentUser.user, params[:password])
deletion.delete! deletion.delete!
session.delete(:user_id) session.delete(:user_id)
cookies.delete(:password_hash)
cookies.delete(:user_name)
redirect_to(posts_path, :notice => "You are now logged out") redirect_to(posts_path, :notice => "You are now logged out")
end end
end end

2
app/controllers/sessions_controller.rb
View File

@@ -22,8 +22,6 @@ class SessionsController < ApplicationController
def destroy def destroy
session.delete(:user_id) session.delete(:user_id)
cookies.delete(:user_name)
cookies.delete(:password_hash)
redirect_to(posts_path, :notice => "You are now logged out") redirect_to(posts_path, :notice => "You are now logged out")
end end

18
app/logical/session_loader.rb
View File

@@ -1,12 +1,11 @@
class SessionLoader class SessionLoader
class AuthenticationFailure < StandardError; end class AuthenticationFailure < StandardError; end
attr_reader :session, :cookies, :request, :params attr_reader :session, :request, :params
def initialize(request) def initialize(request)
@request = request @request = request
@session = request.session @session = request.session
@cookies = request.cookie_jar
@params = request.parameters @params = request.parameters
end end
@@ -20,8 +19,6 @@ class SessionLoader
load_param_user(params[:signed_user_id]) load_param_user(params[:signed_user_id])
elsif session[:user_id] elsif session[:user_id]
load_session_user load_session_user
elsif cookie_password_hash_valid?
load_cookie_user
end end
set_statement_timeout set_statement_timeout
@@ -91,15 +88,6 @@ class SessionLoader
CurrentUser.user = user if user CurrentUser.user = user if user
end end
def load_cookie_user
CurrentUser.user = User.find_by_name(cookies.signed[:user_name])
session[:user_id] = CurrentUser.user.id
end
def cookie_password_hash_valid?
cookies[:password_hash] && cookies.signed[:user_name] && User.authenticate_cookie_hash(cookies.signed[:user_name], cookies[:password_hash])
end
def update_last_logged_in_at def update_last_logged_in_at
return if CurrentUser.is_anonymous? return if CurrentUser.is_anonymous?
return if CurrentUser.last_logged_in_at && CurrentUser.last_logged_in_at > 1.week.ago return if CurrentUser.last_logged_in_at && CurrentUser.last_logged_in_at > 1.week.ago
@@ -124,9 +112,5 @@ class SessionLoader
def initialize_session_cookies def initialize_session_cookies
session.options[:expire_after] = 20.years session.options[:expire_after] = 20.years
session[:started_at] ||= Time.now.utc.to_s session[:started_at] ||= Time.now.utc.to_s
# clear out legacy login cookies if present
cookies.delete(:user_name)
cookies.delete(:password_hash)
end end
end end

13
app/models/user.rb
View File

@@ -165,10 +165,6 @@ class User < ApplicationRecord
BCrypt::Password.new(bcrypt_password_hash) BCrypt::Password.new(bcrypt_password_hash)
end end
def bcrypt_cookie_password_hash
bcrypt_password_hash.slice(20, 100)
end
def password=(new_password) def password=(new_password)
@password = new_password @password = new_password
self.bcrypt_password_hash = User.bcrypt(new_password) self.bcrypt_password_hash = User.bcrypt(new_password)
@@ -205,15 +201,6 @@ class User < ApplicationRecord
end end
end end
def authenticate_cookie_hash(name, hash)
user = find_by_name(name)
if user && user.bcrypt_cookie_password_hash == hash
user
else
nil
end
end
def bcrypt(pass) def bcrypt(pass)
BCrypt::Password.create(sha1(pass)) BCrypt::Password.create(sha1(pass))
end end

19
test/functional/maintenance/user/api_keys_controller_test.rb
View File

@@ -23,25 +23,6 @@ module Maintenance
assert_response :success assert_response :success
end end
# hard to test this in integrationtest
# context "if the user doesn't already have an api key" do
# setup do
# ::User.any_instance.stubs(:api_key).returns(nil)
# cookies[:user_name] = @user.name
# cookies[:password_hash] = @user.bcrypt_cookie_password_hash
# end
# should "generate one" do
# ApiKey.expects(:generate!)
# assert_difference("ApiKey.count", 1) do
# post view_maintenance_user_api_key_path(user_id: @user.id), params: {user: {password: "password"}}
# end
# assert_not_nil(@user.reload.api_key)
# end
# end
should "not generate another API key if the user already has one" do should "not generate another API key if the user already has one" do
assert_difference("ApiKey.count", 0) do assert_difference("ApiKey.count", 0) do
post_auth view_maintenance_user_api_key_path(user_id: @user.id), @user, params: {user: {password: "password"}} post_auth view_maintenance_user_api_key_path(user_id: @user.id), @user, params: {user: {password: "password"}}

9
test/unit/user_test.rb
View File

@@ -151,15 +151,6 @@ class UserTest < ActiveSupport::TestCase
end end
context "password" do context "password" do
should "match the cookie hash" do
@user = FactoryBot.create(:user)
@user.password = "zugzug5"
@user.password_confirmation = "zugzug5"
@user.save
@user.reload
assert(User.authenticate_cookie_hash(@user.name, @user.bcrypt_cookie_password_hash))
end
should "match the confirmation" do should "match the confirmation" do
@user = FactoryBot.create(:user) @user = FactoryBot.create(:user)
@user.old_password = "password" @user.old_password = "password"