master
Aevann1 2021-12-21 22:03:13 +02:00
parent 833bee6e49
commit 3ee2c0749f
4 changed files with 10 additions and 15 deletions

View File

@ -108,7 +108,7 @@ def before_request():
if not request.path.startswith("/assets") and not request.path.startswith("/images") and not request.path.startswith("/hostedimages"): if not request.path.startswith("/assets") and not request.path.startswith("/images") and not request.path.startswith("/hostedimages"):
session.permanent = True session.permanent = True
if not session.get("session_id"): session["session_id"] = secrets.token_hex(50) if not session.get("session_id"): session["session_id"] = secrets.token_hex(52)
if request.url.startswith("http://") and "localhost" not in app.config["SERVER_NAME"]: if request.url.startswith("http://") and "localhost" not in app.config["SERVER_NAME"]:
url = request.url.replace("http://", "https://", 1) url = request.url.replace("http://", "https://", 1)

View File

@ -300,8 +300,7 @@ class User(Base):
@lazy @lazy
def formkey(self): def formkey(self):
if "session_id" not in session: if "session_id" not in session: session["session_id"] = token_hex(52)
session["session_id"] = token_hex(50)
msg = f"{session['session_id']}+{self.id}+{self.login_nonce}" msg = f"{session['session_id']}+{self.id}+{self.login_nonce}"

View File

@ -14,14 +14,13 @@ def get_logged_in_user():
v.client = client v.client = client
return v return v
else: else:
uid = session.get("user_id")
nonce = session.get("login_nonce", 0) nonce = session.get("login_nonce", 0)
logged_in = session.get("logged_in") logged_in_user = session.get("logged_in_user")
if not uid or not logged_in or uid != logged_in: return None if not logged_in_user: return None
try: try:
if g.db: v = g.db.query(User).filter_by(id=logged_in).one_or_none() if g.db: v = g.db.query(User).filter_by(id=logged_in_user).one_or_none()
else: return None else: return None
except: return None except: return None

View File

@ -134,9 +134,8 @@ def login_post():
else: else:
abort(400) abort(400)
session["user_id"] = account.id session["logged_in_user"] = account.id
session["logged_in"] = account.id session["session_id"] = token_hex(52)
session["session_id"] = token_hex(50)
session["login_nonce"] = account.login_nonce session["login_nonce"] = account.login_nonce
session.permanent = True session.permanent = True
@ -164,9 +163,8 @@ def me(v):
@validate_formkey @validate_formkey
def logout(v): def logout(v):
session.pop("user_id", None)
session.pop("session_id", None) session.pop("session_id", None)
session.pop("logged_in", None) session.pop("logged_in_user", None)
return {"message": "Logout successful!"} return {"message": "Logout successful!"}
@ -340,9 +338,8 @@ def sign_up_post(v):
if "rama" in request.host: send_notification(new_user.id, WELCOME_MSG) if "rama" in request.host: send_notification(new_user.id, WELCOME_MSG)
session["user_id"] = new_user.id session["logged_in_user"] = new_user.id
session["logged_in"] = new_user.id session["session_id"] = token_hex(52)
session["session_id"] = token_hex(50)
g.db.commit() g.db.commit()