Albirew/nyaa-pantsu
Archivé
1
0
Bifurcation 0

Revert "Stateless cookies (#372)"

This reverts commit 2f06fb8fa1.
Cette révision appartient à :
Eliot Whalan 2017-05-12 16:42:15 +10:00
Parent bd7933536f
révision bcaac0961f
6 fichiers modifiés avec 100 ajouts et 90 suppressions

Voir le fichier

@ -10,5 +10,6 @@ var Trackers = []string{
"udp://explodie.org:6969",
"udp://tracker.opentrackr.org:1337",
"udp://tracker.internetwarriors.net:1337/announce",
"udp://eddie4.nl:6969/announce",
"http://mgtracker.org:6969/announce",
"http://tracker.baka-sub.cf/announce"}

Voir le fichier

@ -12,9 +12,8 @@ type User struct {
Status int `gorm:"column:status"`
CreatedAt time.Time `gorm:"column:created_at"`
UpdatedAt time.Time `gorm:"column:updated_at"`
// Currently unused (auth is stateless now)
/*Token string `gorm:"column:api_token"`
TokenExpiration time.Time `gorm:"column:api_token_expiry"`*/
Token string `gorm:"column:api_token"`
TokenExpiration time.Time `gorm:"column:api_token_expiry"`
Language string `gorm:"column:language"`
// TODO: move this to PublicUser
@ -43,7 +42,7 @@ func (u User) Size() (s int) {
4*3 + //time.Time
3*2 + // arrays
// string arrays
len(u.Username) + len(u.Password) + len(u.Email) + len(u.MD5) + len(u.Language)
len(u.Username) + len(u.Password) + len(u.Email) + len(u.Token) + len(u.MD5) + len(u.Language)
s *= 8
// Ignoring foreign key users. Fuck them.

Voir le fichier

@ -5,98 +5,96 @@ import (
"github.com/ewhal/nyaa/db"
"github.com/ewhal/nyaa/model"
formStruct "github.com/ewhal/nyaa/service/user/form"
"github.com/ewhal/nyaa/util/log"
"github.com/ewhal/nyaa/util/modelHelper"
"github.com/ewhal/nyaa/util/timeHelper"
"github.com/gorilla/securecookie"
"golang.org/x/crypto/bcrypt"
"net/http"
"strconv"
"time"
)
const CookieName = "session"
// If you want to keep login cookies between restarts you need to make these permanent
var cookieHandler = securecookie.New(
securecookie.GenerateRandomKey(64),
securecookie.GenerateRandomKey(32))
// Encoding & Decoding of the cookie value
func DecodeCookie(cookie_value string) (uint, error) {
value := make(map[string]string)
err := cookieHandler.Decode(CookieName, cookie_value, &value)
func Token(r *http.Request) (string, error) {
var token string
cookie, err := r.Cookie("session")
if err != nil {
return 0, err
return token, err
}
time_int, _ := strconv.ParseInt(value["t"], 10, 0)
if timeHelper.IsExpired(time.Unix(time_int, 0)) {
return 0, errors.New("Cookie is expired")
cookieValue := make(map[string]string)
err = cookieHandler.Decode("session", cookie.Value, &cookieValue)
if err != nil {
return token, err
}
ret, err := strconv.ParseUint(value["u"], 10, 0)
return uint(ret), err
token = cookieValue["token"]
if len(token) == 0 {
return token, errors.New("token is empty")
}
return token, nil
}
func EncodeCookie(user_id uint) (string, error) {
validUntil := timeHelper.FewDaysLater(7) // 1 week
// SetCookie sets a cookie.
func SetCookie(w http.ResponseWriter, token string) (int, error) {
value := map[string]string{
"u": strconv.FormatUint(uint64(user_id), 10),
"t": strconv.FormatInt(validUntil.Unix(), 10),
"token": token,
}
return cookieHandler.Encode(CookieName, value)
encoded, err := cookieHandler.Encode("session", value)
if err != nil {
return http.StatusInternalServerError, err
}
cookie := &http.Cookie{
Name: "session",
Value: encoded,
Path: "/",
}
http.SetCookie(w, cookie)
return http.StatusOK, nil
}
// ClearCookie clears a cookie.
func ClearCookie(w http.ResponseWriter) (int, error) {
cookie := &http.Cookie{
Name: CookieName,
Name: "session",
Value: "",
Path: "/",
HttpOnly: true,
MaxAge: -1,
}
http.SetCookie(w, cookie)
return http.StatusOK, nil
}
// SetCookieHandler sets the authentication cookie
// SetCookieHandler sets a cookie with email and password.
func SetCookieHandler(w http.ResponseWriter, email string, pass string) (int, error) {
if email == "" || pass == "" {
return http.StatusNotFound, errors.New("No username/password entered")
}
var user model.User
// search by email or username
isValidEmail, _ := formStruct.EmailValidation(email, formStruct.NewErrors())
if isValidEmail {
if db.ORM.Where("email = ?", email).First(&user).RecordNotFound() {
return http.StatusNotFound, errors.New("User not found")
if email != "" && pass != "" {
var user model.User
isValidEmail, _ := formStruct.EmailValidation(email, formStruct.NewErrors())
if isValidEmail {
log.Debug("User entered valid email.")
if db.ORM.Where("email = ?", email).First(&user).RecordNotFound() {
return http.StatusNotFound, errors.New("User not found")
}
} else {
log.Debug("User entered username.")
if db.ORM.Where("username = ?", email).First(&user).RecordNotFound() {
return http.StatusNotFound, errors.New("User not found")
}
}
} else {
if db.ORM.Where("username = ?", email).First(&user).RecordNotFound() {
return http.StatusNotFound, errors.New("User not found")
err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(pass))
if err != nil {
return http.StatusUnauthorized, errors.New("Password incorrect")
}
if user.Status == -1 {
return http.StatusUnauthorized, errors.New("Account banned")
}
status, err := SetCookie(w, user.Token)
if err != nil {
return status, err
}
w.Header().Set("X-Auth-Token", user.Token)
return http.StatusOK, nil
}
err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(pass))
if err != nil {
return http.StatusUnauthorized, errors.New("Password incorrect")
}
if user.Status == -1 {
return http.StatusUnauthorized, errors.New("Account banned")
}
encoded, err := EncodeCookie(user.ID)
if err != nil {
return http.StatusInternalServerError, err
}
cookie := &http.Cookie{
Name: CookieName,
Value: encoded,
Path: "/",
HttpOnly: true,
}
http.SetCookie(w, cookie)
// also set response header for convenience
w.Header().Set("X-Auth-Token", encoded)
return http.StatusOK, nil
return http.StatusNotFound, errors.New("user not found")
}
// RegisterHanderFromForm sets cookie from a RegistrationForm.
@ -113,31 +111,24 @@ func RegisterHandler(w http.ResponseWriter, r *http.Request) (int, error) {
return RegisterHanderFromForm(w, registrationForm)
}
// CurrentUser determines the current user from the request
// CurrentUser get a current user.
func CurrentUser(r *http.Request) (model.User, error) {
var user model.User
var encoded string
encoded = r.Header.Get("X-Auth-Token")
if len(encoded) == 0 {
// check cookie instead
cookie, err := r.Cookie(CookieName)
var token string
var err error
token = r.Header.Get("X-Auth-Token")
if len(token) > 0 {
log.Debug("header token exists")
} else {
token, err = Token(r)
log.Debug("header token does not exist")
if err != nil {
return user, err
}
encoded = cookie.Value
}
user_id, err := DecodeCookie(encoded)
if err != nil {
return user, err
if db.ORM.Where("api_token = ?", token).First(&user).RecordNotFound() {
return user, errors.New("user not found")
}
if db.ORM.Where("user_id = ?", user_id).First(&user).RecordNotFound() {
return user, errors.New("User not found")
}
if user.Status == -1 {
// recheck as user might've been banned in the meantime
return user, errors.New("Account banned")
}
return user, nil
err = db.ORM.Model(&user).Error
return user, err
}

Voir le fichier

@ -7,6 +7,7 @@ import (
"strconv"
"time"
"github.com/ewhal/nyaa/config"
"github.com/ewhal/nyaa/db"
"github.com/ewhal/nyaa/model"
formStruct "github.com/ewhal/nyaa/service/user/form"
@ -14,6 +15,7 @@ import (
"github.com/ewhal/nyaa/util/crypto"
"github.com/ewhal/nyaa/util/log"
"github.com/ewhal/nyaa/util/modelHelper"
"github.com/ewhal/nyaa/util/timeHelper"
"golang.org/x/crypto/bcrypt"
)
@ -67,8 +69,15 @@ func CreateUserFromForm(registrationForm formStruct.RegistrationForm) (model.Use
return user, err
}
}
token, err := crypto.GenerateRandomToken32()
if err != nil {
return user, errors.New("token not generated")
}
user.Email = "" // unset email because it will be verified later
user.Token = token
user.TokenExpiration = timeHelper.FewDaysLater(config.AuthTokenExpirationDay)
log.Debugf("user %+v\n", user)
if db.ORM.Create(&user).Error != nil {
return user, errors.New("user not created")
}
@ -148,13 +157,17 @@ func UpdateUserCore(user *model.User) (int, error) {
}
}
user.UpdatedAt = time.Now()
err := db.ORM.Save(user).Error
token, err := crypto.GenerateRandomToken32()
if err != nil {
return http.StatusInternalServerError, err
}
user.Token = token
user.TokenExpiration = timeHelper.FewDaysLater(config.AuthTokenExpirationDay)
if db.ORM.Save(user).Error != nil {
return http.StatusInternalServerError, err
}
user.UpdatedAt = time.Now()
return http.StatusOK, nil
}
@ -184,13 +197,18 @@ func UpdateUser(w http.ResponseWriter, form *formStruct.UserForm, currentUser *m
form.Username = user.Username
}
if (form.Email != user.Email) {
// send verification to new email and keep old
SendVerificationToUser(user, form.Email)
form.Email = user.Email
}
log.Debugf("form %+v\n", form)
modelHelper.AssignValue(&user, form)
status, err := UpdateUserCore(&user)
if err != nil {
return user, status, err
}
if userPermission.CurrentUserIdentical(currentUser, user.ID) {
status, err = SetCookie(w, user.Token)
}
return user, status, err
}

Voir le fichier

@ -45,6 +45,7 @@ udp://tracker.leechers-paradise.org:6969
udp://explodie.org:6969
udp://tracker.opentrackr.org:1337
udp://tracker.internetwarriors.net:1337/announce
udp://eddie4.nl:6969/announce
http://mgtracker.org:6969/announce
http://tracker.baka-sub.cf/announce</pre>

Voir le fichier

@ -1,4 +1,4 @@
{{define "title"}}{{ T "sign_in_title" }}{{end}}
{{define "title"}}{{ T "sign_in_title" }}{{end}}
{{define "contclass"}}cont-view{{end}}
{{define "content"}}
<div class="blockBody">
@ -24,8 +24,8 @@
{{end}}
</div>
<span class="button-checkbox">
<!-- <button type="button" class="btn hidden" data-color="info">{{ T "remember_me"}}</button>
<input type="checkbox" name="remember_me" id="remember_me" checked="checked"> -->
<button type="button" class="btn hidden" data-color="info">{{ T "remember_me"}}</button>
<input type="checkbox" name="remember_me" id="remember_me" checked="checked">
<a href="" class="btn btn-link pull-right">{{ T "forgot_password"}}</a>
</span>
<hr class="colorgraph">