Deux: patch improper logins for post-seeding accs.

Deux's users were originally seeded from a clone of the rDrama DB. Thereby, user IDs are paired between the sites, and this is further the only clear means by which we can link accounts between the sites. However, signups on either site after the seeding will not have synchronized IDs. Newer accounts on Drama could thereby be used to sign into the Deux account with the same user_id. There's no clear way to solve this without going to a shared identity provider for both. In the interim, we restrict shared login to users from before divergence began. This is a kludge, but it works.
2022-07-14 03:00:08 -04:00 · 2022-07-14 03:00:08 -04:00 · dfa700ab1a
parent a217f76bad
commit dfa700ab1a
1 changed files with 6 additions and 0 deletions
--- a/files/routes/login.py
+++ b/files/routes/login.py
@ -162,6 +162,12 @@ def loginshared_authenticate(v, site_for):
 	if not (SITE == 'rdrama.net' and site_for == 'deuxrama.net'):
 		abort(403)

+	# Kludge to prevent accounts created after the DB seeding (on either site)
+	# from being improperly logged into. The only account matching we have is
+	# based on user_id, which isn't guaranteed identical post-seeding.
+	if v.id > 12335:
+		abort(500)
+
 	token = loginshared_secret_token(site_for, v.id)

 	# Must be https! Downgrading security leaks secrets in query string.