2024-02-25 12:15:55 -05:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
2011-10-15 16:36:07 -04:00
|
|
|
class SessionLoader
|
2015-06-18 20:03:33 -04:00
|
|
|
class AuthenticationFailure < Exception ; end
|
|
|
|
|
|
2013-03-20 18:43:17 -04:00
|
|
|
attr_reader :session, :cookies, :request, :params
|
2013-03-19 08:10:10 -04:00
|
|
|
|
2019-08-24 23:55:35 -04:00
|
|
|
def initialize(request)
|
2011-10-15 16:36:07 -04:00
|
|
|
@request = request
|
2019-08-24 23:55:35 -04:00
|
|
|
@session = request.session
|
|
|
|
|
@cookies = request.cookie_jar
|
|
|
|
|
@params = request.parameters
|
2021-02-13 03:59:14 -05:00
|
|
|
@remember_validator = ActiveSupport::MessageVerifier.new(Danbooru.config.remember_key, serializer: JSON, digest: "SHA256")
|
2011-10-15 16:36:07 -04:00
|
|
|
end
|
2013-03-19 08:10:10 -04:00
|
|
|
|
2011-10-15 16:36:07 -04:00
|
|
|
def load
|
2018-09-09 19:56:03 -04:00
|
|
|
CurrentUser.user = User.anonymous
|
2017-12-21 22:57:03 -05:00
|
|
|
CurrentUser.ip_addr = request.remote_ip
|
2017-12-26 16:25:53 -05:00
|
|
|
|
2019-08-24 23:55:35 -04:00
|
|
|
if has_api_authentication?
|
|
|
|
|
load_session_for_api
|
|
|
|
|
elsif session[:user_id]
|
2011-10-15 16:36:07 -04:00
|
|
|
load_session_user
|
2019-10-31 09:41:21 -04:00
|
|
|
elsif has_remember_token?
|
|
|
|
|
load_remember_token
|
2011-10-15 16:36:07 -04:00
|
|
|
end
|
2013-03-19 08:10:10 -04:00
|
|
|
|
2024-02-23 10:48:56 -05:00
|
|
|
CurrentUser.user.unban! if CurrentUser.user.ban_expired?
|
2020-04-04 17:03:06 -04:00
|
|
|
if CurrentUser.user.is_blocked?
|
|
|
|
|
recent_ban = CurrentUser.user.recent_ban
|
|
|
|
|
ban_message = "Account is banned: forever"
|
|
|
|
|
if recent_ban && recent_ban.expires_at.present?
|
|
|
|
|
ban_message = "Account is suspended for another #{recent_ban.expire_days}"
|
|
|
|
|
end
|
|
|
|
|
raise AuthenticationFailure.new(ban_message)
|
|
|
|
|
end
|
2017-12-26 16:25:53 -05:00
|
|
|
set_statement_timeout
|
2024-02-23 10:48:56 -05:00
|
|
|
update_last_logged_in_at
|
|
|
|
|
update_last_ip_addr
|
2011-10-15 16:36:07 -04:00
|
|
|
set_time_zone
|
2019-08-24 23:55:36 -04:00
|
|
|
set_safe_mode
|
2020-04-12 22:08:33 -04:00
|
|
|
refresh_old_remember_token
|
2023-10-11 13:45:11 -04:00
|
|
|
DanbooruLogger.initialize(CurrentUser.user)
|
2011-10-15 16:36:07 -04:00
|
|
|
end
|
|
|
|
|
|
2019-08-24 23:55:35 -04:00
|
|
|
def has_api_authentication?
|
2020-03-04 22:40:46 -05:00
|
|
|
request.authorization.present? || params[:login].present? || params[:api_key].present?
|
2019-08-24 23:55:35 -04:00
|
|
|
end
|
|
|
|
|
|
2019-10-31 09:41:21 -04:00
|
|
|
def has_remember_token?
|
|
|
|
|
cookies.encrypted[:remember].present?
|
|
|
|
|
end
|
|
|
|
|
|
2011-10-15 16:36:07 -04:00
|
|
|
private
|
2018-04-02 13:51:26 -04:00
|
|
|
|
2013-03-21 10:46:49 -04:00
|
|
|
def set_statement_timeout
|
|
|
|
|
timeout = CurrentUser.user.statement_timeout
|
|
|
|
|
ActiveRecord::Base.connection.execute("set statement_timeout = #{timeout}")
|
|
|
|
|
end
|
2013-03-19 08:10:10 -04:00
|
|
|
|
2019-10-31 09:41:21 -04:00
|
|
|
def load_remember_token
|
2020-04-12 22:08:33 -04:00
|
|
|
begin
|
|
|
|
|
message = @remember_validator.verify(cookies.encrypted[:remember], purpose: "rbr")
|
|
|
|
|
return if message.nil?
|
2021-12-18 06:36:19 -05:00
|
|
|
pieces = message.split(":")
|
|
|
|
|
return unless pieces.length == 2
|
|
|
|
|
user = User.find_by_id(pieces[0].to_i)
|
2020-04-12 22:08:33 -04:00
|
|
|
return unless user
|
2021-12-18 06:36:19 -05:00
|
|
|
return if pieces[1].to_i != user.password_token
|
2020-04-12 22:08:33 -04:00
|
|
|
CurrentUser.user = user
|
|
|
|
|
session[:user_id] = user.id
|
2021-12-18 06:36:19 -05:00
|
|
|
session[:ph] = user.password_token # This has been validated by the remember token
|
2020-04-12 22:08:33 -04:00
|
|
|
rescue
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def refresh_old_remember_token
|
2021-12-18 06:36:19 -05:00
|
|
|
if cookies.encrypted[:remember] && !CurrentUser.is_anonymous?
|
|
|
|
|
cookies.encrypted[:remember] = {value: @remember_validator.generate("#{CurrentUser.id}:#{CurrentUser.password_token}", purpose: "rbr", expires_in: 14.days), expires: Time.now + 14.days, httponly: true, same_site: :lax, secure: Rails.env.production?}
|
2020-04-12 22:08:33 -04:00
|
|
|
end
|
2019-10-31 09:41:21 -04:00
|
|
|
end
|
|
|
|
|
|
2013-03-20 18:43:17 -04:00
|
|
|
def load_session_for_api
|
|
|
|
|
if request.authorization
|
|
|
|
|
authenticate_basic_auth
|
|
|
|
|
elsif params[:login].present? && params[:api_key].present?
|
|
|
|
|
authenticate_api_key(params[:login], params[:api_key])
|
2019-08-24 23:55:35 -04:00
|
|
|
else
|
|
|
|
|
raise AuthenticationFailure
|
2013-03-20 18:43:17 -04:00
|
|
|
end
|
|
|
|
|
end
|
2019-08-24 23:55:35 -04:00
|
|
|
|
2013-03-20 18:43:17 -04:00
|
|
|
def authenticate_basic_auth
|
|
|
|
|
credentials = ::Base64.decode64(request.authorization.split(' ', 2).last || '')
|
2023-08-01 13:32:24 -04:00
|
|
|
login, api_key = credentials.split(":", 2)
|
2013-03-20 18:43:17 -04:00
|
|
|
authenticate_api_key(login, api_key)
|
|
|
|
|
end
|
2019-08-24 23:55:35 -04:00
|
|
|
|
2013-03-20 18:43:17 -04:00
|
|
|
def authenticate_api_key(name, api_key)
|
2022-10-16 13:43:33 -04:00
|
|
|
user = User.authenticate_api_key(name, api_key)
|
|
|
|
|
raise AuthenticationFailure if user.nil?
|
|
|
|
|
CurrentUser.user = user
|
2013-03-20 18:43:17 -04:00
|
|
|
end
|
|
|
|
|
|
2011-10-15 16:36:07 -04:00
|
|
|
def load_session_user
|
2018-04-16 19:09:39 -04:00
|
|
|
user = User.find_by_id(session[:user_id])
|
2023-05-08 12:09:09 -04:00
|
|
|
raise AuthenticationFailure if user.nil?
|
2021-12-18 06:36:19 -05:00
|
|
|
return if session[:ph] != user.password_token
|
2023-05-08 12:09:09 -04:00
|
|
|
CurrentUser.user = user
|
2011-10-15 16:36:07 -04:00
|
|
|
end
|
2013-03-19 08:10:10 -04:00
|
|
|
|
2012-06-07 17:31:55 -04:00
|
|
|
def update_last_logged_in_at
|
|
|
|
|
return if CurrentUser.is_anonymous?
|
|
|
|
|
return if CurrentUser.last_logged_in_at && CurrentUser.last_logged_in_at > 1.week.ago
|
|
|
|
|
CurrentUser.user.update_attribute(:last_logged_in_at, Time.now)
|
2016-02-17 19:59:27 -05:00
|
|
|
end
|
|
|
|
|
|
2016-08-24 18:58:22 -04:00
|
|
|
def update_last_ip_addr
|
|
|
|
|
return if CurrentUser.is_anonymous?
|
|
|
|
|
return if CurrentUser.user.last_ip_addr == @request.remote_ip
|
|
|
|
|
CurrentUser.user.update_attribute(:last_ip_addr, @request.remote_ip)
|
|
|
|
|
end
|
|
|
|
|
|
2011-10-15 16:36:07 -04:00
|
|
|
def set_time_zone
|
|
|
|
|
Time.zone = CurrentUser.user.time_zone
|
|
|
|
|
end
|
|
|
|
|
|
2019-08-24 23:55:36 -04:00
|
|
|
def set_safe_mode
|
2021-11-14 16:16:36 -05:00
|
|
|
safe_mode = Danbooru.config.safe_mode? || params[:safe_mode].to_s.truthy? || CurrentUser.user.enable_safe_mode?
|
2019-08-24 23:55:36 -04:00
|
|
|
CurrentUser.safe_mode = safe_mode
|
|
|
|
|
end
|
|
|
|
|
end
|
