From 3646395f1d8b200ebd33f3c0b65ad6bbaf0c7156 Mon Sep 17 00:00:00 2001 From: Omar Roth Date: Sun, 10 Feb 2019 12:33:29 -0600 Subject: [PATCH] Store session_ids in separate table --- config/sql/session_ids.sql | 24 ++++++++++++++++++++++++ config/sql/users.sql | 1 - src/invidious.cr | 29 +++++++++++++++++------------ src/invidious/users.cr | 29 +++++++++++++++++------------ 4 files changed, 58 insertions(+), 25 deletions(-) create mode 100644 config/sql/session_ids.sql diff --git a/config/sql/session_ids.sql b/config/sql/session_ids.sql new file mode 100644 index 00000000..24491405 --- /dev/null +++ b/config/sql/session_ids.sql @@ -0,0 +1,24 @@ +-- Table: public.session_ids + +-- DROP TABLE public.session_ids; + +CREATE TABLE public.session_ids +( + id text NOT NULL, + email text, + issued timestamp with time zone, + CONSTRAINT session_ids_pkey PRIMARY KEY (id) +); + +GRANT ALL ON TABLE public.channel_videos TO kemal; + +-- Index: public.session_ids_id_idx + +-- DROP INDEX public.session_ids_id_idx; + +CREATE INDEX session_ids_id_idx + ON public.session_ids + USING btree + (id COLLATE pg_catalog."default"); + + \ No newline at end of file diff --git a/config/sql/users.sql b/config/sql/users.sql index f806271c..536508a4 100644 --- a/config/sql/users.sql +++ b/config/sql/users.sql @@ -4,7 +4,6 @@ CREATE TABLE public.users ( - id text[] NOT NULL, updated timestamp with time zone, notifications text[], subscriptions text[], diff --git a/src/invidious.cr b/src/invidious.cr index 28d3fbf5..169c4f12 100644 --- a/src/invidious.cr +++ b/src/invidious.cr @@ -163,9 +163,10 @@ before_all do |env| # Invidious users only have SID if !env.request.cookies.has_key? "SSID" - user = PG_DB.query_one?("SELECT * FROM users WHERE $1 = ANY(id)", sid, as: User) + email = PG_DB.query_one?("SELECT email FROM session_ids WHERE id = $1", sid, as: String) - if user + if email + user = PG_DB.query_one("SELECT * FROM users WHERE email = $1", email, as: User) challenge, token = create_response(user.email, "sign_out", HMAC_KEY, PG_DB, 1.week) env.set "challenge", challenge @@ -177,7 +178,7 @@ before_all do |env| end else begin - user = get_user(sid, headers, PG_DB, false) + user, sid = get_user(sid, headers, PG_DB, false) challenge, token = create_response(user.email, "sign_out", HMAC_KEY, PG_DB, 1.week) env.set "challenge", challenge @@ -312,7 +313,7 @@ get "/watch" do |env| end if watched && !watched.includes? id - PG_DB.exec("UPDATE users SET watched = watched || $1 WHERE $2 = id", [id], user.as(User).id) + PG_DB.exec("UPDATE users SET watched = watched || $1 WHERE email = $2", [id], user.as(User).email) end if nojs @@ -880,7 +881,7 @@ post "/login" do |env| sid = login.cookies["SID"].value - user = get_user(sid, headers, PG_DB) + user, sid = get_user(sid, headers, PG_DB) # We are now logged in @@ -986,7 +987,7 @@ post "/login" do |env| if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) - PG_DB.exec("UPDATE users SET id = id || $1 WHERE LOWER(email) = LOWER($2)", [sid], email) + PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.now) if Kemal.config.ssl || CONFIG.https_only secure = true @@ -1024,13 +1025,14 @@ post "/login" do |env| end sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) - user = create_user(sid, email, password) + user, sid = create_user(sid, email, password) user_array = user.to_a user_array[5] = user_array[5].to_json args = arg_array(user_array) PG_DB.exec("INSERT INTO users VALUES (#{args})", user_array) + PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.now) view_name = "subscriptions_#{sha256(user.email)[0..7]}" PG_DB.exec("CREATE MATERIALIZED VIEW #{view_name} AS \ @@ -1078,7 +1080,7 @@ get "/signout" do |env| user = env.get("user").as(User) sid = env.get("sid").as(String) - PG_DB.exec("UPDATE users SET id = array_remove(id, $1) WHERE email = $2", sid, user.email) + PG_DB.exec("DELETE FROM session_ids * WHERE id = $1", sid) env.request.cookies.each do |cookie| cookie.expires = Time.new(1990, 1, 1) @@ -1252,7 +1254,7 @@ get "/mark_watched" do |env| if user user = user.as(User) if !user.watched.includes? id - PG_DB.exec("UPDATE users SET watched = watched || $1 WHERE $2 = id", [id], user.id) + PG_DB.exec("UPDATE users SET watched = watched || $1 WHERE email = $2", [id], user.email) end end @@ -1347,9 +1349,10 @@ get "/subscription_manager" do |env| locale = LOCALES[env.get("locale").as(String)]? user = env.get? "user" + sid = env.get? "sid" referer = get_referer(env, "/") - if !user + if !user && !sid next env.redirect referer end @@ -1360,7 +1363,7 @@ get "/subscription_manager" do |env| headers = HTTP::Headers.new headers["Cookie"] = env.request.headers["Cookie"] - user = get_user(user.id[0], headers, PG_DB) + user, sid = get_user(sid, headers, PG_DB) end action_takeout = env.params.query["action_takeout"]?.try &.to_i? @@ -1756,10 +1759,12 @@ get "/feed/subscriptions" do |env| locale = LOCALES[env.get("locale").as(String)]? user = env.get? "user" + sid = env.get? "sid" referer = get_referer(env) if user user = user.as(User) + sid = sid.as(String) preferences = user.preferences if preferences.unseen_only @@ -1771,7 +1776,7 @@ get "/feed/subscriptions" do |env| headers["Cookie"] = env.request.headers["Cookie"] if !user.password - user = get_user(user.id[0], headers, PG_DB) + user, sid = get_user(sid, headers, PG_DB) end max_results = preferences.max_results diff --git a/src/invidious/users.cr b/src/invidious/users.cr index d45c5af4..67125654 100644 --- a/src/invidious/users.cr +++ b/src/invidious/users.cr @@ -12,7 +12,6 @@ class User end add_mapping({ - id: Array(String), updated: Time, notifications: Array(String), subscriptions: Array(String), @@ -126,18 +125,21 @@ class Preferences end def get_user(sid, headers, db, refresh = true) - if db.query_one?("SELECT EXISTS (SELECT true FROM users WHERE $1 = ANY(id))", sid, as: Bool) - user = db.query_one("SELECT * FROM users WHERE $1 = ANY(id)", sid, as: User) + if email = db.query_one?("SELECT email FROM session_ids WHERE id = $1", sid, as: String) + user = db.query_one("SELECT * FROM users WHERE email = $1", email, as: User) if refresh && Time.now - user.updated > 1.minute - user = fetch_user(sid, headers, db) + user, sid = fetch_user(sid, headers, db) user_array = user.to_a user_array[5] = user_array[5].to_json args = arg_array(user_array) db.exec("INSERT INTO users VALUES (#{args}) \ - ON CONFLICT (email) DO UPDATE SET id = users.id || $1, updated = $2, subscriptions = $4", user_array) + ON CONFLICT (email) DO UPDATE SET updated = $1, subscriptions = $3", user_array) + + db.exec("INSERT INTO session_ids VALUES ($1,$2,$3) \ + ON CONFLICT (id) DO NOTHING", sid, user.email, Time.now) begin view_name = "subscriptions_#{sha256(user.email)[0..7]}" @@ -149,14 +151,17 @@ def get_user(sid, headers, db, refresh = true) end end else - user = fetch_user(sid, headers, db) + user, sid = fetch_user(sid, headers, db) user_array = user.to_a user_array[5] = user_array[5].to_json args = arg_array(user.to_a) db.exec("INSERT INTO users VALUES (#{args}) \ - ON CONFLICT (email) DO UPDATE SET id = users.id || $1, updated = $2, subscriptions = $4", user_array) + ON CONFLICT (email) DO UPDATE SET updated = $1, subscriptions = $3", user_array) + + db.exec("INSERT INTO session_ids VALUES ($1,$2,$3) \ + ON CONFLICT (id) DO NOTHING", sid, user.email, Time.now) begin view_name = "subscriptions_#{sha256(user.email)[0..7]}" @@ -168,7 +173,7 @@ def get_user(sid, headers, db, refresh = true) end end - return user + return user, sid end def fetch_user(sid, headers, db) @@ -196,17 +201,17 @@ def fetch_user(sid, headers, db) token = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) - user = User.new([sid], Time.now, [] of String, channels, email, DEFAULT_USER_PREFERENCES, nil, token, [] of String) - return user + user = User.new(Time.now, [] of String, channels, email, DEFAULT_USER_PREFERENCES, nil, token, [] of String) + return user, sid end def create_user(sid, email, password) password = Crypto::Bcrypt::Password.create(password, cost: 10) token = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) - user = User.new([sid], Time.now, [] of String, [] of String, email, DEFAULT_USER_PREFERENCES, password.to_s, token, [] of String) + user = User.new(Time.now, [] of String, [] of String, email, DEFAULT_USER_PREFERENCES, password.to_s, token, [] of String) - return user + return user, sid end def create_response(user_id, operation, key, db, expire = 6.hours)