Alter sessionVerify to remove expire
This commit is contained in:
parent
4b8287c097
commit
94676a6c16
|
@ -453,7 +453,7 @@ App::get('/v1/account/sessions/oauth2/:provider/redirect')
|
|||
}
|
||||
|
||||
$sessions = $user->getAttribute('sessions', []);
|
||||
$current = Auth::sessionVerify($sessions, Auth::$secret);
|
||||
$current = Auth::sessionVerify($sessions, Auth::$secret, $project->getAttribute('authDuration', 0));
|
||||
|
||||
if ($current) { // Delete current session of new one.
|
||||
$currentDocument = $dbForProject->getDocument('sessions', $current);
|
||||
|
@ -1332,10 +1332,11 @@ App::get('/v1/account/sessions')
|
|||
->inject('response')
|
||||
->inject('user')
|
||||
->inject('locale')
|
||||
->action(function (Response $response, Document $user, Locale $locale) {
|
||||
->inject('project')
|
||||
->action(function (Response $response, Document $user, Locale $locale, Document $project) {
|
||||
|
||||
$sessions = $user->getAttribute('sessions', []);
|
||||
$current = Auth::sessionVerify($sessions, Auth::$secret);
|
||||
$current = Auth::sessionVerify($sessions, Auth::$secret, $project->getAttribute('authDuration', 0));
|
||||
|
||||
foreach ($sessions as $key => $session) {/** @var Document $session */
|
||||
$countryName = $locale->getText('countries.' . strtolower($session->getAttribute('countryCode')), $locale->getText('locale.country.unknown'));
|
||||
|
@ -1435,7 +1436,7 @@ App::get('/v1/account/sessions/:sessionId')
|
|||
|
||||
$sessions = $user->getAttribute('sessions', []);
|
||||
$sessionId = ($sessionId === 'current')
|
||||
? Auth::sessionVerify($user->getAttribute('sessions'), Auth::$secret)
|
||||
? Auth::sessionVerify($user->getAttribute('sessions'), Auth::$secret, $project->getAttribute('authDuration', 0))
|
||||
: $sessionId;
|
||||
|
||||
foreach ($sessions as $session) {/** @var Document $session */
|
||||
|
@ -1445,7 +1446,7 @@ App::get('/v1/account/sessions/:sessionId')
|
|||
$session
|
||||
->setAttribute('current', ($session->getAttribute('secret') == Auth::hash(Auth::$secret)))
|
||||
->setAttribute('countryName', $countryName)
|
||||
->setAttribute('expire', $session->getAttribute('$createdAt', 0) + $project->getAttribute('authDuration', 0))
|
||||
->setAttribute('expire', DateTime::addSeconds(new \DateTime($session->getCreatedAt()), $project->getAttribute('authDuration', 0)))
|
||||
;
|
||||
|
||||
return $response->dynamic($session, Response::MODEL_SESSION);
|
||||
|
@ -1712,11 +1713,12 @@ App::delete('/v1/account/sessions/:sessionId')
|
|||
->inject('dbForProject')
|
||||
->inject('locale')
|
||||
->inject('events')
|
||||
->action(function (?string $sessionId, Request $request, Response $response, Document $user, Database $dbForProject, Locale $locale, Event $events) {
|
||||
->inject('project')
|
||||
->action(function (?string $sessionId, Request $request, Response $response, Document $user, Database $dbForProject, Locale $locale, Event $events, Document $project) {
|
||||
|
||||
$protocol = $request->getProtocol();
|
||||
$sessionId = ($sessionId === 'current')
|
||||
? Auth::sessionVerify($user->getAttribute('sessions'), Auth::$secret)
|
||||
? Auth::sessionVerify($user->getAttribute('sessions'), Auth::$secret, $project->getAttribute('authDuration', 0))
|
||||
: $sessionId;
|
||||
|
||||
$sessions = $user->getAttribute('sessions', []);
|
||||
|
@ -1789,7 +1791,7 @@ App::patch('/v1/account/sessions/:sessionId')
|
|||
->action(function (?string $sessionId, Request $request, Response $response, Document $user, Database $dbForProject, Document $project, Locale $locale, Event $events) {
|
||||
|
||||
$sessionId = ($sessionId === 'current')
|
||||
? Auth::sessionVerify($user->getAttribute('sessions'), Auth::$secret)
|
||||
? Auth::sessionVerify($user->getAttribute('sessions'), Auth::$secret, $project->getAttribute('authDuration', 0))
|
||||
: $sessionId;
|
||||
|
||||
$sessions = $user->getAttribute('sessions', []);
|
||||
|
@ -1830,7 +1832,7 @@ App::patch('/v1/account/sessions/:sessionId')
|
|||
|
||||
$dbForProject->deleteCachedDocument('users', $user->getId());
|
||||
|
||||
$session->setAttribute('expire', $session->getAttribute('$createdAt', 0) + $project->getAttribute('authDuration', 0));
|
||||
$session->setAttribute('expire', $session->getCreatedAt() + $project->getAttribute('authDuration', 0));
|
||||
|
||||
$events
|
||||
->setParam('userId', $user->getId())
|
||||
|
|
|
@ -837,7 +837,7 @@ App::setResource('user', function ($mode, $project, $console, $request, $respons
|
|||
|
||||
if (
|
||||
$user->isEmpty() // Check a document has been found in the DB
|
||||
|| !Auth::sessionVerify($user->getAttribute('sessions', []), Auth::$secret)
|
||||
|| !Auth::sessionVerify($user->getAttribute('sessions', []), Auth::$secret, $project->getAttribute('authDuration', 0))
|
||||
) { // Validate user has valid login token
|
||||
$user = new Document(['$id' => ID::custom(''), '$collection' => 'users']);
|
||||
}
|
||||
|
|
|
@ -539,7 +539,7 @@ $server->onMessage(function (int $connection, string $message) use ($server, $re
|
|||
|
||||
if (
|
||||
empty($user->getId()) // Check a document has been found in the DB
|
||||
|| !Auth::sessionVerify($user->getAttribute('sessions', []), Auth::$secret) // Validate user has valid login token
|
||||
|| !Auth::sessionVerify($user->getAttribute('sessions', []), Auth::$secret, $project->getAttribute('authDuration', 0)) // Validate user has valid login token
|
||||
) {
|
||||
// cookie not valid
|
||||
throw new Exception('Session is not valid.', 1003);
|
||||
|
|
|
@ -352,19 +352,19 @@ class Auth
|
|||
*
|
||||
* @param array $sessions
|
||||
* @param string $secret
|
||||
* @param string $expires
|
||||
*
|
||||
* @return bool|string
|
||||
*/
|
||||
public static function sessionVerify(array $sessions, string $secret)
|
||||
public static function sessionVerify(array $sessions, string $secret, int $expires)
|
||||
{
|
||||
foreach ($sessions as $session) {
|
||||
/** @var Document $session */
|
||||
if (
|
||||
$session->isSet('secret') &&
|
||||
$session->isSet('expire') &&
|
||||
$session->isSet('provider') &&
|
||||
$session->getAttribute('secret') === self::hash($secret) &&
|
||||
DateTime::formatTz($session->getAttribute('expire')) >= DateTime::formatTz(DateTime::now())
|
||||
DateTime::formatTz(DateTime::addSeconds(new \DateTime($session->getCreatedAt()), $expires)) >= DateTime::formatTz(DateTime::now())
|
||||
) {
|
||||
return $session->getId();
|
||||
}
|
||||
|
|
|
@ -204,46 +204,46 @@ class AuthTest extends TestCase
|
|||
|
||||
public function testSessionVerify(): void
|
||||
{
|
||||
$expireTime1 = 60 * 60 * 24;
|
||||
|
||||
$secret = 'secret1';
|
||||
$hash = Auth::hash($secret);
|
||||
$tokens1 = [
|
||||
new Document([
|
||||
'$id' => ID::custom('token1'),
|
||||
'expire' => DateTime::formatTz(DateTime::addSeconds(new \DateTime(), 60 * 60 * 24)),
|
||||
'secret' => $hash,
|
||||
'provider' => Auth::SESSION_PROVIDER_EMAIL,
|
||||
'providerUid' => 'test@example.com',
|
||||
]),
|
||||
new Document([
|
||||
'$id' => ID::custom('token2'),
|
||||
'expire' => DateTime::formatTz(DateTime::addSeconds(new \DateTime(), -60 * 60 * 24)),
|
||||
'secret' => 'secret2',
|
||||
'provider' => Auth::SESSION_PROVIDER_EMAIL,
|
||||
'providerUid' => 'test@example.com',
|
||||
]),
|
||||
];
|
||||
|
||||
$expireTime2 = -60 * 60 * 24;
|
||||
|
||||
$tokens2 = [
|
||||
new Document([ // Correct secret and type time, wrong expire time
|
||||
'$id' => ID::custom('token1'),
|
||||
'expire' => DateTime::formatTz(DateTime::addSeconds(new \DateTime(), -60 * 60 * 24)),
|
||||
'secret' => $hash,
|
||||
'provider' => Auth::SESSION_PROVIDER_EMAIL,
|
||||
'providerUid' => 'test@example.com',
|
||||
]),
|
||||
new Document([
|
||||
'$id' => ID::custom('token2'),
|
||||
'expire' => DateTime::formatTz(DateTime::addSeconds(new \DateTime(), -60 * 60 * 24)),
|
||||
'secret' => 'secret2',
|
||||
'provider' => Auth::SESSION_PROVIDER_EMAIL,
|
||||
'providerUid' => 'test@example.com',
|
||||
]),
|
||||
];
|
||||
|
||||
$this->assertEquals(Auth::sessionVerify($tokens1, $secret), 'token1');
|
||||
$this->assertEquals(Auth::sessionVerify($tokens1, 'false-secret'), false);
|
||||
$this->assertEquals(Auth::sessionVerify($tokens2, $secret), false);
|
||||
$this->assertEquals(Auth::sessionVerify($tokens2, 'false-secret'), false);
|
||||
$this->assertEquals(Auth::sessionVerify($tokens1, $secret, $expireTime1), 'token1');
|
||||
$this->assertEquals(Auth::sessionVerify($tokens1, 'false-secret', $expireTime1), false);
|
||||
$this->assertEquals(Auth::sessionVerify($tokens2, $secret, $expireTime2), false);
|
||||
$this->assertEquals(Auth::sessionVerify($tokens2, 'false-secret', $expireTime2), false);
|
||||
}
|
||||
|
||||
public function testTokenVerify(): void
|
||||
|
|
Loading…
Reference in a new issue