From 6e51189d4dab6f3e3ee3f5eb6738a08d300a5753 Mon Sep 17 00:00:00 2001 From: Omar Roth Date: Wed, 20 Mar 2019 11:01:54 -0500 Subject: [PATCH] Expire nonce on register --- src/invidious.cr | 2 +- src/invidious/jobs.cr | 15 +++++++++------ src/invidious/users.cr | 10 +++++++--- 3 files changed, 17 insertions(+), 10 deletions(-) diff --git a/src/invidious.cr b/src/invidious.cr index e3c23d8d..af810bd2 100644 --- a/src/invidious.cr +++ b/src/invidious.cr @@ -1795,9 +1795,9 @@ post "/delete_account" do |env| end view_name = "subscriptions_#{sha256(user.email)[0..7]}" - PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}") PG_DB.exec("DELETE FROM users * WHERE email = $1", user.email) PG_DB.exec("DELETE FROM session_ids * WHERE email = $1", user.email) + PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}") env.request.cookies.each do |cookie| cookie.expires = Time.new(1990, 1, 1) diff --git a/src/invidious/jobs.cr b/src/invidious/jobs.cr index 50374601..d55d8a40 100644 --- a/src/invidious/jobs.cr +++ b/src/invidious/jobs.cr @@ -132,12 +132,15 @@ def refresh_feeds(db, logger, max_threads = 1) db.exec("REFRESH MATERIALIZED VIEW #{view_name}") rescue ex # Create view if it doesn't exist - if ex.message.try &.ends_with? "does not exist" - db.exec("CREATE MATERIALIZED VIEW #{view_name} AS \ - SELECT * FROM channel_videos WHERE \ - ucid = ANY ((SELECT subscriptions FROM users WHERE email = E'#{email.gsub("'", "\\'")}')::text[]) \ - ORDER BY published DESC;") - logger.write("CREATE #{view_name}") + if ex.message.try &.ends_with?("does not exist") + # While iterating through, we may have an email stored from a deleted account + if db.query_one?("SELECT true FROM users WHERE email = $1", email, as: Bool) + db.exec("CREATE MATERIALIZED VIEW #{view_name} AS \ + SELECT * FROM channel_videos WHERE \ + ucid = ANY ((SELECT subscriptions FROM users WHERE email = E'#{email.gsub("'", "\\'")}')::text[]) \ + ORDER BY published DESC;") + logger.write("CREATE #{view_name}") + end else logger.write("REFRESH #{email} : #{ex.message}\n") end diff --git a/src/invidious/users.cr b/src/invidious/users.cr index 1131c77e..d7b0e14c 100644 --- a/src/invidious/users.cr +++ b/src/invidious/users.cr @@ -255,8 +255,12 @@ def validate_response(challenge, token, user_id, operation, key, db, locale) challenge = OpenSSL::HMAC.digest(:sha256, key, challenge) challenge = Base64.urlsafe_encode(challenge) - if db.query_one?("SELECT EXISTS (SELECT true FROM nonces WHERE nonce = $1)", nonce, as: Bool) - db.exec("DELETE FROM nonces * WHERE nonce = $1", nonce) + if nonce = db.query_one?("SELECT * FROM nonces WHERE nonce = $1", nonce, as: {String, Time}) + if nonce[1] > Time.now + db.exec("UPDATE nonces SET expire = $1 WHERE nonce = $2", Time.new(1990, 1, 1), nonce[0]) + else + raise translate(locale, "Invalid token") + end else raise translate(locale, "Invalid token") end @@ -270,7 +274,7 @@ def validate_response(challenge, token, user_id, operation, key, db, locale) end if challenge_user_id != user_id - raise translate(locale, "Invalid user") + raise translate(locale, "Invalid token") end if expire < Time.now.to_unix