🐛 Invalidate sessions when user changes

This commit is contained in:
Andreas Schneider 2020-11-01 12:22:13 +01:00
parent f5869bfc3b
commit 67b1e206d0
1 changed files with 31 additions and 2 deletions

View File

@ -31,6 +31,7 @@ import (
"html/template"
"log"
"net/http"
"os"
"path"
"strings"
"time"
@ -579,8 +580,6 @@ Are you sure you want to continue?`, share.UUID, share.Name)
ar.Post("/delete-user", func(w http.ResponseWriter, r *http.Request) {
sessionContext := h.buildSessionContext(w, r)
// TODO invalidate sessions
if sessionContext.user.Role != GlobalRoleAdmin {
sessionContext.Unauthorized()
return
@ -605,6 +604,9 @@ Are you sure you want to continue?`, user.Username, user.Role)
return
}
}
invalidateSession(sessionStore, user.Username)
sessionContext.Redirect("users")
})
ar.Route("/change-password", func(r chi.Router) {
@ -648,6 +650,8 @@ Are you sure you want to continue?`, user.Username, user.Role)
return
}
invalidateSession(sessionStore, sessionContext.user.Username)
sessionContext.Redirect("./")
})
})
@ -785,3 +789,28 @@ func userFromContext(r *http.Request) *User {
return nil
}
}
func invalidateSession(store *buntdb.DB, username string) {
err := store.Update(func(tx *buntdb.Tx) error {
var sessionIds []string
if err := tx.AscendKeys("*", func(key, value string) bool {
if value == username {
sessionIds = append(sessionIds, key)
}
return true
}); err != nil {
return err
}
for _, sessionId := range sessionIds {
if _, err := tx.Delete(sessionId); err != nil {
fmt.Fprintf(os.Stderr, "cannot remove session: %v\n", err)
}
}
return nil
})
if err != nil {
fmt.Fprintf(os.Stderr, "cannot invalidate session: %v\n", err)
}
}