Skip to content
This repository has been archived by the owner on Dec 2, 2024. It is now read-only.

Commit

Permalink
set expiration for sessions and fix some other problems with sessions
Browse files Browse the repository at this point in the history
  • Loading branch information
tnix100 committed Aug 26, 2024
1 parent 5a1657e commit b1a7446
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 52 deletions.
11 changes: 9 additions & 2 deletions database.py
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,12 @@
try: db.authenticators.create_index([("user", pymongo.ASCENDING)], name="user")
except: pass

# Create account sessions indexes
try: db.acc_sessions.create_index([("user", pymongo.ASCENDING)], name="user")
except: pass
try: db.acc_sessions.create_index([("refreshed_at", pymongo.ASCENDING)], name="refreshed_at")
except: pass

# Create data exports indexes
try: db.data_exports.create_index([("user", pymongo.ASCENDING)], name="user")
except: pass
Expand Down Expand Up @@ -319,12 +325,13 @@ def get_total_pages(collection: str, query: dict, page_size: int = 25) -> int:

# New sessions
log("[Migrator] Adding new sessions")
from sessions import AccSession
for user in db.usersv0.find({"tokens": {"$exists": True}}, projection={"_id": 1, "tokens": 1}):
if user["tokens"]:
for token in user["tokens"]:
rdb.set(urlsafe_b64encode(sha256(token.encode()).digest()), user["_id"], ex=1209600) # 14 days
db.usersv0.update_one({"_id": user["_id"]}, {"$set": {"tokens": []}})
db.usersv0.update_many({}, {"$unset": {"tokens": ""}})
try: db.usersv0.drop_index("tokens")
except: pass

db.config.update_one({"_id": "migration"}, {"$set": {"database": CURRENT_DB_VERSION}})
log(f"[Migrator] Finished Migrating DB to version {CURRENT_DB_VERSION}")
Expand Down
21 changes: 6 additions & 15 deletions security.py
Original file line number Diff line number Diff line change
Expand Up @@ -382,6 +382,9 @@ def delete_account(username, purge=False):
# Delete authenticators
db.authenticators.delete_many({"user": username})

# Delete sessions
db.acc_sessions.delete_many({"user": username})

# Delete uploaded files
clear_files(username)

Expand Down Expand Up @@ -497,28 +500,16 @@ def background_tasks_loop():

log("Running background tasks...")

# Rotate signing key (every 10 days)
if db.config.count_documents({"_id": "signing_key", "rotated_at": {"$lt": int(time.time())-864000}}, limit=1):
new_priv_bytes, new_pub_bytes = signing_keys.rotate()
db.pub_signing_keys.insert_one({
"raw": new_pub_bytes,
"created_at": int(time.time())
})
db.config.update_one({"_id": "signing_key"}, {"$set": {
"raw": new_priv_bytes,
"rotated_at": int(time.time())
}}, upsert=True)

# Delete public signing keys that are older than 90 days
db.pub_signing_keys.delete_many({"created_at": {"$lt": int(time.time())-7776000}})

# Delete accounts scheduled for deletion
for user in db.usersv0.find({"delete_after": {"$lt": int(time.time())}}, projection={"_id": 1}):
try:
delete_account(user["_id"])
except Exception as e:
log(f"Failed to delete account {user['_id']}: {e}")

# Revoke old sessions (60 days)
db.acc_sessions.delete_many({"refreshed_at": {"$lt": int(time.time())-5184000}})

# Purge old netinfo
db.netinfo.delete_many({"last_refreshed": {"$lt": int(time.time())-2419200}})

Expand Down
35 changes: 0 additions & 35 deletions signing.py

This file was deleted.

0 comments on commit b1a7446

Please sign in to comment.