diff --git a/auth.py b/auth.py index 9a008bc..800e3ec 100644 --- a/auth.py +++ b/auth.py @@ -53,8 +53,8 @@ def auth_required(func): await conn.execute( "UPDATE user_session SET last_used = NOW(), " "expires = NOW() + INTERVAL '30 DAYS' " - "WHERE user_id = $1", - user_id) + "WHERE user_id = $1 AND id = $2", + user_id, sid) resp.set_cookie( 'userid', user_id, diff --git a/buckler.py b/buckler.py index 0caf803..02892dc 100644 --- a/buckler.py +++ b/buckler.py @@ -224,13 +224,11 @@ async def get_session(request): app = await conn.fetchrow("SELECT * FROM app_info WHERE id = $1", app_id) if app: if argon2.verify(app_key, app['key_hash']): - sessions = await conn.fetch( + session = await conn.fetchrow( "SELECT * FROM user_session " - "WHERE user_id = $1 AND expires > NOW()", - user_id) - session = [s for s in sessions if s.get('id') == user_sid] + "WHERE user_id = $1 AND id = $2 AND expires > NOW()", + user_id, user_sid) if session: - session = session[0] data = await conn.fetchrow( "SELECT user_info.username, app_user.session_data " "FROM user_info LEFT JOIN app_user " @@ -244,8 +242,8 @@ async def get_session(request): await conn.execute( "UPDATE user_session SET last_used = NOW(), " "expires = NOW() + INTERVAL '30 DAYS' " - "WHERE user_id = $1", - user_id) + "WHERE user_id = $1 AND id = $2", + user_id, user_sid) await conn.close() data_meta = dict(data)