mirror of
https://github.com/iv-org/invidious.git
synced 2024-12-17 11:44:30 -05:00
Expire nonce on register
This commit is contained in:
parent
f1d7aa09e4
commit
6e51189d4d
@ -1795,9 +1795,9 @@ post "/delete_account" do |env|
|
|||||||
end
|
end
|
||||||
|
|
||||||
view_name = "subscriptions_#{sha256(user.email)[0..7]}"
|
view_name = "subscriptions_#{sha256(user.email)[0..7]}"
|
||||||
PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}")
|
|
||||||
PG_DB.exec("DELETE FROM users * WHERE email = $1", user.email)
|
PG_DB.exec("DELETE FROM users * WHERE email = $1", user.email)
|
||||||
PG_DB.exec("DELETE FROM session_ids * WHERE email = $1", user.email)
|
PG_DB.exec("DELETE FROM session_ids * WHERE email = $1", user.email)
|
||||||
|
PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}")
|
||||||
|
|
||||||
env.request.cookies.each do |cookie|
|
env.request.cookies.each do |cookie|
|
||||||
cookie.expires = Time.new(1990, 1, 1)
|
cookie.expires = Time.new(1990, 1, 1)
|
||||||
|
@ -132,12 +132,15 @@ def refresh_feeds(db, logger, max_threads = 1)
|
|||||||
db.exec("REFRESH MATERIALIZED VIEW #{view_name}")
|
db.exec("REFRESH MATERIALIZED VIEW #{view_name}")
|
||||||
rescue ex
|
rescue ex
|
||||||
# Create view if it doesn't exist
|
# Create view if it doesn't exist
|
||||||
if ex.message.try &.ends_with? "does not exist"
|
if ex.message.try &.ends_with?("does not exist")
|
||||||
|
# While iterating through, we may have an email stored from a deleted account
|
||||||
|
if db.query_one?("SELECT true FROM users WHERE email = $1", email, as: Bool)
|
||||||
db.exec("CREATE MATERIALIZED VIEW #{view_name} AS \
|
db.exec("CREATE MATERIALIZED VIEW #{view_name} AS \
|
||||||
SELECT * FROM channel_videos WHERE \
|
SELECT * FROM channel_videos WHERE \
|
||||||
ucid = ANY ((SELECT subscriptions FROM users WHERE email = E'#{email.gsub("'", "\\'")}')::text[]) \
|
ucid = ANY ((SELECT subscriptions FROM users WHERE email = E'#{email.gsub("'", "\\'")}')::text[]) \
|
||||||
ORDER BY published DESC;")
|
ORDER BY published DESC;")
|
||||||
logger.write("CREATE #{view_name}")
|
logger.write("CREATE #{view_name}")
|
||||||
|
end
|
||||||
else
|
else
|
||||||
logger.write("REFRESH #{email} : #{ex.message}\n")
|
logger.write("REFRESH #{email} : #{ex.message}\n")
|
||||||
end
|
end
|
||||||
|
@ -255,8 +255,12 @@ def validate_response(challenge, token, user_id, operation, key, db, locale)
|
|||||||
challenge = OpenSSL::HMAC.digest(:sha256, key, challenge)
|
challenge = OpenSSL::HMAC.digest(:sha256, key, challenge)
|
||||||
challenge = Base64.urlsafe_encode(challenge)
|
challenge = Base64.urlsafe_encode(challenge)
|
||||||
|
|
||||||
if db.query_one?("SELECT EXISTS (SELECT true FROM nonces WHERE nonce = $1)", nonce, as: Bool)
|
if nonce = db.query_one?("SELECT * FROM nonces WHERE nonce = $1", nonce, as: {String, Time})
|
||||||
db.exec("DELETE FROM nonces * WHERE nonce = $1", nonce)
|
if nonce[1] > Time.now
|
||||||
|
db.exec("UPDATE nonces SET expire = $1 WHERE nonce = $2", Time.new(1990, 1, 1), nonce[0])
|
||||||
|
else
|
||||||
|
raise translate(locale, "Invalid token")
|
||||||
|
end
|
||||||
else
|
else
|
||||||
raise translate(locale, "Invalid token")
|
raise translate(locale, "Invalid token")
|
||||||
end
|
end
|
||||||
@ -270,7 +274,7 @@ def validate_response(challenge, token, user_id, operation, key, db, locale)
|
|||||||
end
|
end
|
||||||
|
|
||||||
if challenge_user_id != user_id
|
if challenge_user_id != user_id
|
||||||
raise translate(locale, "Invalid user")
|
raise translate(locale, "Invalid token")
|
||||||
end
|
end
|
||||||
|
|
||||||
if expire < Time.now.to_unix
|
if expire < Time.now.to_unix
|
||||||
|
Loading…
Reference in New Issue
Block a user