auth.py

@@ -53,8 +53,8 @@ def auth_required(func):
 					await conn.execute(
 						"UPDATE user_session SET last_used = NOW(), "
 						"expires = NOW() + INTERVAL '30 DAYS' "
-						"WHERE user_id = $1 AND id = $2",
+						"WHERE user_id = $1",
-						user_id, sid)
+						user_id)
 				resp.set_cookie(
 					'userid',
 					user_id,

buckler.py

@@ -44,7 +44,7 @@ async def index(request):
 			"SELECT * FROM user_credential WHERE user_id = $1",
 			request['session']['id'])
 		active_sessions = await conn.fetch(
-			"SELECT id, ip_address, date_created, last_used FROM user_session "
+			"SELECT id, ip_address FROM user_session "
 			"WHERE user_id = $1",
 			request['session']['id'])
 
@@ -224,11 +224,13 @@ async def get_session(request):
 	app = await conn.fetchrow("SELECT * FROM app_info WHERE id = $1", app_id)
 	if app:
 		if argon2.verify(app_key, app['key_hash']):
-			session = await conn.fetchrow(
+			sessions = await conn.fetch(
 				"SELECT * FROM user_session "
-				"WHERE user_id = $1 AND id = $2 AND expires > NOW()",
+				"WHERE user_id = $1 AND expires > NOW()",
-				user_id, user_sid)
+				user_id)
+			session = [s for s in sessions if s.get('id') == user_sid]
 			if session:
+				session = session[0]
 				data = await conn.fetchrow(
 					"SELECT user_info.username, app_user.session_data "
 					"FROM user_info LEFT JOIN app_user "
@@ -242,8 +244,8 @@ async def get_session(request):
 					await conn.execute(
 						"UPDATE user_session SET last_used = NOW(), "
 						"expires = NOW() + INTERVAL '30 DAYS' "
-						"WHERE user_id = $1 AND id = $2",
+						"WHERE user_id = $1",
-						user_id, user_sid)
+						user_id)
 				await conn.close()
 
 				data_meta = dict(data)
@@ -310,50 +312,6 @@ async def set_session(request):
 	return web.json_response(error)
 
 
-@routes.post(config.url_prefix + '/delete_key', name='delete_key')
-@auth.auth_required
-async def delete_key(request):
-	"""Allows a user to delete a security key."""
-	data = await request.post()
-	async with request.app['pool'].acquire() as conn:
-		for key, value in data.items():
-			key_id = key.replace('fido-', '')
-			if not key_id:
-				continue
-			try:
-				key_id = int(key_id)
-			except ValueError:
-				continue
-			if value != 'on':
-				continue
-			await conn.execute(
-				"DELETE FROM user_credential "
-				"WHERE id = $1 AND user_id = $2",
-				key_id, request['session']['id'])
-	index_url = request.app.router['index'].url_for()
-	raise web.HTTPFound(location=index_url)
-
-
-@routes.post(config.url_prefix + '/delete_session', name='delete_session')
-@auth.auth_required
-async def delete_session(request):
-	"""Allows a user to delete a session ."""
-	data = await request.post()
-	async with request.app['pool'].acquire() as conn:
-		for key, value in data.items():
-			session_id = key.replace('session-', '', 1)
-			if not session_id:
-				continue
-			if value != 'on':
-				continue
-			await conn.execute(
-				"DELETE FROM user_session "
-				"WHERE id = $1 AND user_id = $2",
-				session_id, request['session']['id'])
-	index_url = request.app.router['index'].url_for()
-	raise web.HTTPFound(location=index_url)
-
-
 async def init_app():
 	"""Initializes the application."""
 	app = web.Application()

static/buckler.css

@@ -41,16 +41,15 @@ h2 {
 	list-style-type: none;
 }
 
-table {
+#users {
 	border: 1px solid lightgray;
 	border-collapse: collapse; 
-	width: 100%;
 }
 
-tr {
+#users tr {
 	border: 1px solid lightgray;
 }
 
-td {
+#users td {
 	text-align: center;
 }

templates/index.html

@@ -78,7 +78,6 @@
 				<article style="display: none;">
 					<hr>
 					{% if fido2_keys %}
-					<form action="{{ request.app.router['delete_key'].url_for() }}" method="POST" enctype="application/x-www-form-urlencoded">
 					<table id="security_keys">
 						<thead>
 							<tr>
@@ -95,8 +94,6 @@
 							{% endfor %}
 						</tbody>
 					</table>
-						<input type="submit" value="Delete">
-					</form>
 					{% else %}
 					<span>No registered keys.</span>
 					{% endif %}
@@ -107,31 +104,22 @@
 				<h2>Active Sessions</h2>
 				<article style="display: none;">
 					<hr>
-					<form action="{{ request.app.router['delete_session'].url_for() }}" method="POST" enctype="application/x-www-form-urlencoded">
 					<table id="active_sessions">
 						<thead>
 							<tr>
-									<th>Session ID</th>
 								<th>IP Address</th>
-									<th>Created</th>
-									<th>Last Used</th>
 								<th>Delete</th>
 							</tr>
 						</thead>
 						<tbody>
 							{% for session in active_sessions %}
 							<tr>
-									<td><code>{{ session['id'][:5] }}...{{ session['id'][-5:] }}</code></td>
 								<td>{{ session['ip_address'] }}</td>
-									<td>{{ session['date_created'].strftime('%Y-%m-%d %H:%M') }}</td>
+								<td><input aria-label="Delete {{ session['id'][:5] }}" id="session-{{ session['id'][:5] }}" name="session-{{ session['id'][:5] }}"  type="checkbox"></td>
-									<td>{{ session['last_used'].strftime('%Y-%m-%d %H:%M') }}</td>
-									<td><input aria-label="Delete {{ session['id'][:5] }}...{{ session['id'][-5:] }}" id="session-{{ session['id'] }}" name="session-{{ session['id'] }}"  type="checkbox"></td>
 							</tr>
 							{% endfor %}
 						</tbody>
 					</table>
-						<input type="submit" value="Delete">
-					</form>
 				</article>
 			</section>
 		</main>