arimelody.space / arimelody-web
home to your local SPACEGIRL 💫 arimelody.space
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

session validation/invalidation

ari melody 562ed2e0 1c0e541c

+19 -6
+1 -1
admin/http.go
··· 483 483 484 484 func enforceSession(app *model.AppState, next http.Handler) http.Handler { 485 485 return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { 486 - session, err := controller.GetSessionFromRequest(app.DB, r) 486 + session, err := controller.GetSessionFromRequest(app, r) 487 487 if err != nil { 488 488 fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve session: %v\n", err) 489 489 http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+1 -1
api/release.go
··· 20 20 // only allow authorised users to view hidden releases 21 21 privileged := false 22 22 if !release.Visible { 23 - session, err := controller.GetSessionFromRequest(app.DB, r) 23 + session, err := controller.GetSessionFromRequest(app, r) 24 24 if err != nil { 25 25 fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve session: %v\n", err) 26 26 http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+16 -3
controller/session.go
··· 8 8 "strings" 9 9 "time" 10 10 11 + "arimelody-web/log" 11 12 "arimelody-web/model" 12 13 13 14 "github.com/jmoiron/sqlx" ··· 15 16 16 17 const TOKEN_LEN = 64 17 18 18 - func GetSessionFromRequest(db *sqlx.DB, r *http.Request) (*model.Session, error) { 19 + func GetSessionFromRequest(app *model.AppState, r *http.Request) (*model.Session, error) { 19 20 sessionCookie, err := r.Cookie(model.COOKIE_TOKEN) 20 21 if err != nil && err != http.ErrNoCookie { 21 22 return nil, errors.New(fmt.Sprintf("Failed to retrieve session cookie: %v", err)) ··· 25 26 26 27 if sessionCookie != nil { 27 28 // fetch existing session 28 - session, err = GetSession(db, sessionCookie.Value) 29 + session, err = GetSession(app.DB, sessionCookie.Value) 29 30 30 31 if err != nil && !strings.Contains(err.Error(), "no rows") { 31 32 return nil, errors.New(fmt.Sprintf("Failed to retrieve session: %v", err)) 32 33 } 33 34 34 35 if session != nil { 35 - // TODO: consider running security checks here (i.e. user agent mismatches) 36 + if session.UserAgent != r.UserAgent() { 37 + msg := "Session user agent mismatch. A cookie may have been hijacked!" 38 + if session.Account != nil { 39 + account, _ := GetAccountByID(app.DB, session.Account.ID) 40 + msg += " (Account \"" + account.Username + "\")" 41 + } 42 + app.Log.Warn(log.TYPE_ACCOUNT, msg) 43 + err = DeleteSession(app.DB, session.Token) 44 + if err != nil { 45 + app.Log.Warn(log.TYPE_ACCOUNT, "Failed to delete affected session") 46 + } 47 + return nil, nil 48 + } 36 49 } 37 50 } 38 51
+1 -1
view/music.go
··· 60 60 // only allow authorised users to view hidden releases 61 61 privileged := false 62 62 if !release.Visible { 63 - session, err := controller.GetSessionFromRequest(app.DB, r) 63 + session, err := controller.GetSessionFromRequest(app, r) 64 64 if err != nil { 65 65 fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve session: %v\n", err) 66 66 http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)