From 9b441333a7cc2c0ffa5874991f44d0ccc9f12c3c Mon Sep 17 00:00:00 2001 From: Ben Visness Date: Thu, 4 May 2023 22:21:13 -0500 Subject: [PATCH] Delete expired pending logins --- src/auth/session.go | 24 ++++++++++++++++++++++-- src/website/auth.go | 2 -- src/website/discord.go | 6 ++++++ src/website/website.go | 2 +- 4 files changed, 29 insertions(+), 5 deletions(-) diff --git a/src/auth/session.go b/src/auth/session.go index eaace17..61c0648 100644 --- a/src/auth/session.go +++ b/src/auth/session.go @@ -143,7 +143,16 @@ func DeleteExpiredSessions(ctx context.Context, conn *pgxpool.Pool) (int64, erro return tag.RowsAffected(), nil } -func PeriodicallyDeleteExpiredSessions(ctx context.Context, conn *pgxpool.Pool) jobs.Job { +func DeleteExpiredPendingLogins(ctx context.Context, conn *pgxpool.Pool) (int64, error) { + tag, err := conn.Exec(ctx, "DELETE FROM pending_login WHERE expires_at <= CURRENT_TIMESTAMP") + if err != nil { + return 0, oops.New(err, "failed to delete expired pending logins") + } + + return tag.RowsAffected(), nil +} + +func PeriodicallyDeleteExpiredStuff(ctx context.Context, conn *pgxpool.Pool) jobs.Job { job := jobs.New() go func() { defer job.Done() @@ -154,6 +163,7 @@ func PeriodicallyDeleteExpiredSessions(ctx context.Context, conn *pgxpool.Pool) case <-t.C: err := func() (err error) { defer utils.RecoverPanicAsError(&err) + n, err := DeleteExpiredSessions(ctx, conn) if err == nil { if n > 0 { @@ -162,10 +172,20 @@ func PeriodicallyDeleteExpiredSessions(ctx context.Context, conn *pgxpool.Pool) } else { logging.Error().Err(err).Msg("Failed to delete expired sessions") } + + n, err = DeleteExpiredPendingLogins(ctx, conn) + if err == nil { + if n > 0 { + logging.Info().Int64("num deleted pending logins", n).Msg("Deleted expired pending logins") + } + } else { + logging.Error().Err(err).Msg("Failed to delete expired pending logins") + } + return nil }() if err != nil { - logging.Error().Err(err).Msg("Panicked in PeriodicallyDeleteExpiredSessions") + logging.Error().Err(err).Msg("Panicked in PeriodicallyDeleteExpiredStuff") } case <-ctx.Done(): return diff --git a/src/website/auth.go b/src/website/auth.go index 7ffd6f6..77cd9a1 100644 --- a/src/website/auth.go +++ b/src/website/auth.go @@ -141,8 +141,6 @@ func LoginWithDiscord(c *RequestContext) ResponseData { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to save pending login")) } - // TODO: EXPIRE THESE - discordAuthUrl := discord.GetAuthorizeUrl(pendingLogin.ID, true) return c.Redirect(discordAuthUrl, http.StatusSeeOther) } diff --git a/src/website/discord.go b/src/website/discord.go index b814878..7abd9d5 100644 --- a/src/website/discord.go +++ b/src/website/discord.go @@ -74,6 +74,12 @@ func DiscordOAuthCallback(c *RequestContext) ResponseData { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to look up pending login")) } destinationUrl = pendingLogin.DestinationUrl + + // Delete the pending login; we're done with it + _, err = tx.Exec(c, `DELETE FROM pending_login WHERE id = $1`, pendingLogin.ID) + if err != nil { + c.Logger.Warn().Str("id", pendingLogin.ID).Err(err).Msg("failed to delete pending login") + } } else { // Check the state against the current session - if it does not match, // then CSRF'd!!!! diff --git a/src/website/website.go b/src/website/website.go index 6b30627..aaca3ef 100644 --- a/src/website/website.go +++ b/src/website/website.go @@ -43,7 +43,7 @@ var WebsiteCommand = &cobra.Command{ } backgroundJobsDone := jobs.Zip( - auth.PeriodicallyDeleteExpiredSessions(backgroundJobContext, conn), + auth.PeriodicallyDeleteExpiredStuff(backgroundJobContext, conn), auth.PeriodicallyDeleteInactiveUsers(backgroundJobContext, conn), perfCollector.Job, discord.RunDiscordBot(backgroundJobContext, conn),