From 06cf8161e9ac1244c1b9fb6b837d7a9d10b1afa9 Mon Sep 17 00:00:00 2001
From: iou1name <iou1name@national.shitposting.agency>
Date: Thu, 26 Sep 2019 19:23:04 -0400
Subject: [PATCH] last_used only updates the key that was used

---
 auth.py    |  4 ++--
 buckler.py | 12 +++++-------
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/auth.py b/auth.py
index 9a008bc..800e3ec 100644
--- a/auth.py
+++ b/auth.py
@@ -53,8 +53,8 @@ def auth_required(func):
 					await conn.execute(
 						"UPDATE user_session SET last_used = NOW(), "
 						"expires = NOW() + INTERVAL '30 DAYS' "
-						"WHERE user_id = $1",
-						user_id)
+						"WHERE user_id = $1 AND id = $2",
+						user_id, sid)
 				resp.set_cookie(
 					'userid',
 					user_id,
diff --git a/buckler.py b/buckler.py
index 0caf803..02892dc 100644
--- a/buckler.py
+++ b/buckler.py
@@ -224,13 +224,11 @@ async def get_session(request):
 	app = await conn.fetchrow("SELECT * FROM app_info WHERE id = $1", app_id)
 	if app:
 		if argon2.verify(app_key, app['key_hash']):
-			sessions = await conn.fetch(
+			session = await conn.fetchrow(
 				"SELECT * FROM user_session "
-				"WHERE user_id = $1 AND expires > NOW()",
-				user_id)
-			session = [s for s in sessions if s.get('id') == user_sid]
+				"WHERE user_id = $1 AND id = $2 AND expires > NOW()",
+				user_id, user_sid)
 			if session:
-				session = session[0]
 				data = await conn.fetchrow(
 					"SELECT user_info.username, app_user.session_data "
 					"FROM user_info LEFT JOIN app_user "
@@ -244,8 +242,8 @@ async def get_session(request):
 					await conn.execute(
 						"UPDATE user_session SET last_used = NOW(), "
 						"expires = NOW() + INTERVAL '30 DAYS' "
-						"WHERE user_id = $1",
-						user_id)
+						"WHERE user_id = $1 AND id = $2",
+						user_id, user_sid)
 				await conn.close()
 
 				data_meta = dict(data)