Compare commits

..

No commits in common. "06cf8161e9ac1244c1b9fb6b837d7a9d10b1afa9" and "4309d65c854c7d974efbbf14aed1ff5f3b528bd8" have entirely different histories.

4 changed files with 45 additions and 100 deletions

View File

@ -53,8 +53,8 @@ def auth_required(func):
await conn.execute(
"UPDATE user_session SET last_used = NOW(), "
"expires = NOW() + INTERVAL '30 DAYS' "
"WHERE user_id = $1 AND id = $2",
user_id, sid)
"WHERE user_id = $1",
user_id)
resp.set_cookie(
'userid',
user_id,

View File

@ -44,7 +44,7 @@ async def index(request):
"SELECT * FROM user_credential WHERE user_id = $1",
request['session']['id'])
active_sessions = await conn.fetch(
"SELECT id, ip_address, date_created, last_used FROM user_session "
"SELECT id, ip_address FROM user_session "
"WHERE user_id = $1",
request['session']['id'])
@ -224,11 +224,13 @@ async def get_session(request):
app = await conn.fetchrow("SELECT * FROM app_info WHERE id = $1", app_id)
if app:
if argon2.verify(app_key, app['key_hash']):
session = await conn.fetchrow(
sessions = await conn.fetch(
"SELECT * FROM user_session "
"WHERE user_id = $1 AND id = $2 AND expires > NOW()",
user_id, user_sid)
"WHERE user_id = $1 AND expires > NOW()",
user_id)
session = [s for s in sessions if s.get('id') == user_sid]
if session:
session = session[0]
data = await conn.fetchrow(
"SELECT user_info.username, app_user.session_data "
"FROM user_info LEFT JOIN app_user "
@ -242,8 +244,8 @@ async def get_session(request):
await conn.execute(
"UPDATE user_session SET last_used = NOW(), "
"expires = NOW() + INTERVAL '30 DAYS' "
"WHERE user_id = $1 AND id = $2",
user_id, user_sid)
"WHERE user_id = $1",
user_id)
await conn.close()
data_meta = dict(data)
@ -310,50 +312,6 @@ async def set_session(request):
return web.json_response(error)
@routes.post(config.url_prefix + '/delete_key', name='delete_key')
@auth.auth_required
async def delete_key(request):
"""Allows a user to delete a security key."""
data = await request.post()
async with request.app['pool'].acquire() as conn:
for key, value in data.items():
key_id = key.replace('fido-', '')
if not key_id:
continue
try:
key_id = int(key_id)
except ValueError:
continue
if value != 'on':
continue
await conn.execute(
"DELETE FROM user_credential "
"WHERE id = $1 AND user_id = $2",
key_id, request['session']['id'])
index_url = request.app.router['index'].url_for()
raise web.HTTPFound(location=index_url)
@routes.post(config.url_prefix + '/delete_session', name='delete_session')
@auth.auth_required
async def delete_session(request):
"""Allows a user to delete a session ."""
data = await request.post()
async with request.app['pool'].acquire() as conn:
for key, value in data.items():
session_id = key.replace('session-', '', 1)
if not session_id:
continue
if value != 'on':
continue
await conn.execute(
"DELETE FROM user_session "
"WHERE id = $1 AND user_id = $2",
session_id, request['session']['id'])
index_url = request.app.router['index'].url_for()
raise web.HTTPFound(location=index_url)
async def init_app():
"""Initializes the application."""
app = web.Application()

View File

@ -41,16 +41,15 @@ h2 {
list-style-type: none;
}
table {
#users {
border: 1px solid lightgray;
border-collapse: collapse;
width: 100%;
}
tr {
#users tr {
border: 1px solid lightgray;
}
td {
#users td {
text-align: center;
}

View File

@ -78,25 +78,22 @@
<article style="display: none;">
<hr>
{% if fido2_keys %}
<form action="{{ request.app.router['delete_key'].url_for() }}" method="POST" enctype="application/x-www-form-urlencoded">
<table id="security_keys">
<thead>
<tr>
<th>Nick</th>
<th>Delete</th>
</tr>
</thead>
<tbody>
{% for key in fido2_keys %}
<tr>
<td>{{ key['nick'] }}</td>
<td><input aria-label="Delete {{ key['nick'] }}" id="fido-{{ key['id'] }}" name="fido-{{ key['id'] }}" type="checkbox"></td>
</tr>
{% endfor %}
</tbody>
</table>
<input type="submit" value="Delete">
</form>
<table id="security_keys">
<thead>
<tr>
<th>Nick</th>
<th>Delete</th>
</tr>
</thead>
<tbody>
{% for key in fido2_keys %}
<tr>
<td>{{ key['nick'] }}</td>
<td><input aria-label="Delete {{ key['nick'] }}" id="fido-{{ key['id'] }}" name="fido-{{ key['id'] }}" type="checkbox"></td>
</tr>
{% endfor %}
</tbody>
</table>
{% else %}
<span>No registered keys.</span>
{% endif %}
@ -107,31 +104,22 @@
<h2>Active Sessions</h2>
<article style="display: none;">
<hr>
<form action="{{ request.app.router['delete_session'].url_for() }}" method="POST" enctype="application/x-www-form-urlencoded">
<table id="active_sessions">
<thead>
<tr>
<th>Session ID</th>
<th>IP Address</th>
<th>Created</th>
<th>Last Used</th>
<th>Delete</th>
</tr>
</thead>
<tbody>
{% for session in active_sessions %}
<tr>
<td><code>{{ session['id'][:5] }}...{{ session['id'][-5:] }}</code></td>
<td>{{ session['ip_address'] }}</td>
<td>{{ session['date_created'].strftime('%Y-%m-%d %H:%M') }}</td>
<td>{{ session['last_used'].strftime('%Y-%m-%d %H:%M') }}</td>
<td><input aria-label="Delete {{ session['id'][:5] }}...{{ session['id'][-5:] }}" id="session-{{ session['id'] }}" name="session-{{ session['id'] }}" type="checkbox"></td>
</tr>
{% endfor %}
</tbody>
</table>
<input type="submit" value="Delete">
</form>
<table id="active_sessions">
<thead>
<tr>
<th>IP Address</th>
<th>Delete</th>
</tr>
</thead>
<tbody>
{% for session in active_sessions %}
<tr>
<td>{{ session['ip_address'] }}</td>
<td><input aria-label="Delete {{ session['id'][:5] }}" id="session-{{ session['id'][:5] }}" name="session-{{ session['id'][:5] }}" type="checkbox"></td>
</tr>
{% endfor %}
</tbody>
</table>
</article>
</section>
</main>