-
Notifications
You must be signed in to change notification settings - Fork 93
/
active_sessions.rb
208 lines (172 loc) · 6.22 KB
/
active_sessions.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
# frozen-string-literal: true
module Rodauth
Feature.define(:active_sessions, :ActiveSessions) do
depends :logout
error_flash 'This session has been logged out'
redirect
session_key :session_id_session_key, :active_session_id
auth_value_method :active_sessions_account_id_column, :account_id
auth_value_method :active_sessions_created_at_column, :created_at
auth_value_method :active_sessions_last_use_column, :last_use
auth_value_method :active_sessions_session_id_column, :session_id
auth_value_method :active_sessions_table, :account_active_session_keys
translatable_method :global_logout_label, 'Logout all Logged In Sessions?'
auth_value_method :global_logout_param, 'global_logout'
auth_value_method :inactive_session_error_status, 401
auth_value_method :session_inactivity_deadline, 86400
auth_value_method(:session_lifetime_deadline, 86400*30)
auth_value_methods :update_current_session?
auth_methods(
:active_sessions_insert_hash,
:active_sessions_key,
:active_sessions_update_hash,
:add_active_session,
:currently_active_session?,
:handle_duplicate_active_session_id,
:no_longer_active_session,
:remove_active_session,
:remove_all_active_sessions,
:remove_all_active_sessions_except_for,
:remove_all_active_sessions_except_current,
:remove_current_session,
:remove_inactive_sessions,
)
def currently_active_session?
return false unless session_id = session[session_id_session_key]
remove_inactive_sessions
ds = active_sessions_ds.
where(active_sessions_session_id_column => compute_hmacs(session_id))
if update_current_session?
ds.update(active_sessions_update_hash) == 1
else
ds.count == 1
end
end
def check_active_session
if logged_in? && !currently_active_session?
no_longer_active_session
end
end
def no_longer_active_session
clear_session
set_redirect_error_status inactive_session_error_status
set_error_reason :inactive_session
set_redirect_error_flash active_sessions_error_flash
redirect active_sessions_redirect
end
def add_active_session
key = generate_active_sessions_key
set_session_value(session_id_session_key, key)
if e = raises_uniqueness_violation?{active_sessions_ds.insert(active_sessions_insert_hash)}
handle_duplicate_active_session_id(e)
end
nil
end
def handle_duplicate_active_session_id(_e)
# Do nothing by default as session is already tracked. This will result in
# the current session and the existing session with the same id
# being tracked together, so that a logout of one will logout
# the other, and updating the last use on one will update the other,
# but this should be acceptable. However, this can be overridden if different
# behavior is desired.
end
def remove_current_session
if session_id = session[session_id_session_key]
remove_active_session(compute_hmacs(session_id))
end
end
def remove_active_session(session_id)
active_sessions_ds.where(active_sessions_session_id_column=>session_id).delete
end
def remove_all_active_sessions
active_sessions_ds.delete
end
def remove_all_active_sessions_except_for(session_id)
active_sessions_ds.exclude(active_sessions_session_id_column=>compute_hmacs(session_id)).delete
end
def remove_all_active_sessions_except_current
if session_id = session[session_id_session_key]
remove_all_active_sessions_except_for(session_id)
else
remove_all_active_sessions
end
end
def remove_inactive_sessions
if cond = inactive_session_cond
active_sessions_ds.where(cond).delete
end
end
def logout_additional_form_tags
super.to_s + render('global-logout-field')
end
def update_session
remove_current_session
super
add_active_session
end
private
def after_refresh_token
super if defined?(super)
if prev_key = session[session_id_session_key]
key = generate_active_sessions_key
set_session_value(session_id_session_key, key)
active_sessions_ds.
where(active_sessions_session_id_column => compute_hmacs(prev_key)).
update(active_sessions_session_id_column => compute_hmac(key))
end
end
def after_close_account
super if defined?(super)
remove_all_active_sessions
end
def before_logout
if param_or_nil(global_logout_param)
remove_remember_key(session_value) if respond_to?(:remove_remember_key)
remove_all_active_sessions
else
remove_current_session
end
super
end
attr_reader :active_sessions_key
def generate_active_sessions_key
@active_sessions_key = random_key
end
def active_sessions_insert_hash
{active_sessions_account_id_column => session_value, active_sessions_session_id_column => compute_hmac(active_sessions_key)}
end
def active_sessions_update_hash
h = {active_sessions_last_use_column => Sequel::CURRENT_TIMESTAMP}
if hmac_secret_rotation?
h[active_sessions_session_id_column] = compute_hmac(session[session_id_session_key])
end
h
end
def session_inactivity_deadline_condition
if deadline = session_inactivity_deadline
Sequel[active_sessions_last_use_column] < Sequel.date_sub(Sequel::CURRENT_TIMESTAMP, seconds: deadline)
end
end
def session_lifetime_deadline_condition
if deadline = session_lifetime_deadline
Sequel[active_sessions_created_at_column] < Sequel.date_sub(Sequel::CURRENT_TIMESTAMP, seconds: deadline)
end
end
def inactive_session_cond
cond = session_inactivity_deadline_condition
cond2 = session_lifetime_deadline_condition
return false unless cond || cond2
Sequel.|(*[cond, cond2].compact)
end
def update_current_session?
!!session_inactivity_deadline
end
def active_sessions_ds
db[active_sessions_table].
where(active_sessions_account_id_column=>session_value || account_id)
end
def use_date_arithmetic?
true
end
end
end