diff options
| author | Omar Roth <omarroth@hotmail.com> | 2018-11-19 18:41:11 -0600 |
|---|---|---|
| committer | Omar Roth <omarroth@hotmail.com> | 2018-11-19 18:41:11 -0600 |
| commit | ad20d6359bc22fdd4de75e4eed76c7510c3c119f (patch) | |
| tree | ad8f86db9ad6d49d9650d6484c84b94231962167 | |
| parent | b535de690e494aeb38ecb9db57ee173dd896bdb2 (diff) | |
| download | invidious-ad20d6359bc22fdd4de75e4eed76c7510c3c119f.tar.gz invidious-ad20d6359bc22fdd4de75e4eed76c7510c3c119f.tar.bz2 invidious-ad20d6359bc22fdd4de75e4eed76c7510c3c119f.zip | |
Add 'expire' to filter invalid tokens
| -rw-r--r-- | config/sql/nonces.sql | 3 | ||||
| -rw-r--r-- | src/invidious/users.cr | 2 |
2 files changed, 3 insertions, 2 deletions
diff --git a/config/sql/nonces.sql b/config/sql/nonces.sql index 5407dca5..9693b936 100644 --- a/config/sql/nonces.sql +++ b/config/sql/nonces.sql @@ -4,7 +4,8 @@ CREATE TABLE public.nonces ( - nonce text + nonce text, + expire timestamp with time zone, ) WITH ( OIDS=FALSE diff --git a/src/invidious/users.cr b/src/invidious/users.cr index c8769090..b7cb3fbd 100644 --- a/src/invidious/users.cr +++ b/src/invidious/users.cr @@ -203,7 +203,7 @@ end def create_response(user_id, operation, key, db, expire = 6.hours) expire = Time.now + expire nonce = Random::Secure.hex(16) - db.exec("INSERT INTO nonces VALUES ($1) ON CONFLICT DO NOTHING", nonce) + db.exec("INSERT INTO nonces VALUES ($1, $2) ON CONFLICT DO NOTHING", nonce, expire) challenge = "#{expire.to_unix}-#{nonce}-#{user_id}-#{operation}" token = OpenSSL::HMAC.digest(:sha256, key, challenge) |