Minor refactor

pull/633/head
Omar Roth 6 years ago
parent 1a7b341745
commit b0dca2a363
No known key found for this signature in database
GPG Key ID: B8254FB7EC3D37F2

@ -1323,25 +1323,27 @@ post "/signout" do |env|
sid = env.get? "sid" sid = env.get? "sid"
referer = get_referer(env) referer = get_referer(env)
if user if !user
user = user.as(User) next env.redirect referer
sid = sid.as(String) end
token = env.params.body["csrf_token"]?
begin user = user.as(User)
validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) sid = sid.as(String)
rescue ex token = env.params.body["csrf_token"]?
error_message = ex.message
env.response.status_code = 400
next templated "error"
end
PG_DB.exec("DELETE FROM session_ids * WHERE id = $1", sid) begin
validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale)
rescue ex
error_message = ex.message
env.response.status_code = 400
next templated "error"
end
env.request.cookies.each do |cookie| PG_DB.exec("DELETE FROM session_ids * WHERE id = $1", sid)
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie env.request.cookies.each do |cookie|
end cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end end
env.redirect referer env.redirect referer
@ -1889,13 +1891,13 @@ get "/data_control" do |env|
user = env.get? "user" user = env.get? "user"
referer = get_referer(env) referer = get_referer(env)
if user if !user
user = user.as(User) next env.redirect referer
templated "data_control"
else
env.redirect referer
end end
user = user.as(User)
templated "data_control"
end end
post "/data_control" do |env| post "/data_control" do |env|
@ -2048,15 +2050,15 @@ get "/change_password" do |env|
sid = env.get? "sid" sid = env.get? "sid"
referer = get_referer(env) referer = get_referer(env)
if user if !user
user = user.as(User) next env.redirect referer
sid = sid.as(String)
csrf_token = generate_response(sid, {":change_password"}, HMAC_KEY, PG_DB)
templated "change_password"
else
env.redirect referer
end end
user = user.as(User)
sid = sid.as(String)
csrf_token = generate_response(sid, {":change_password"}, HMAC_KEY, PG_DB)
templated "change_password"
end end
post "/change_password" do |env| post "/change_password" do |env|
@ -2066,64 +2068,66 @@ post "/change_password" do |env|
sid = env.get? "sid" sid = env.get? "sid"
referer = get_referer(env) referer = get_referer(env)
if user if !user
user = user.as(User) next env.redirect referer
sid = sid.as(String) end
token = env.params.body["csrf_token"]?
# We don't store passwords for Google accounts user = user.as(User)
if !user.password sid = sid.as(String)
error_message = "Cannot change password for Google accounts" token = env.params.body["csrf_token"]?
env.response.status_code = 400
next templated "error"
end
begin # We don't store passwords for Google accounts
validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) if !user.password
rescue ex error_message = "Cannot change password for Google accounts"
error_message = ex.message env.response.status_code = 400
env.response.status_code = 400 next templated "error"
next templated "error" end
end
password = env.params.body["password"]? begin
if !password validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale)
error_message = translate(locale, "Password is a required field") rescue ex
env.response.status_code = 401 error_message = ex.message
next templated "error" env.response.status_code = 400
end next templated "error"
end
new_passwords = env.params.body.select { |k, v| k.match(/^new_password\[\d+\]$/) }.map { |k, v| v } password = env.params.body["password"]?
if !password
error_message = translate(locale, "Password is a required field")
env.response.status_code = 401
next templated "error"
end
if new_passwords.size <= 1 || new_passwords.uniq.size != 1 new_passwords = env.params.body.select { |k, v| k.match(/^new_password\[\d+\]$/) }.map { |k, v| v }
error_message = translate(locale, "New passwords must match")
env.response.status_code = 400
next templated "error"
end
new_password = new_passwords.uniq[0] if new_passwords.size <= 1 || new_passwords.uniq.size != 1
if new_password.empty? error_message = translate(locale, "New passwords must match")
error_message = translate(locale, "Password cannot be empty") env.response.status_code = 400
env.response.status_code = 401 next templated "error"
next templated "error" end
end
if new_password.bytesize > 55 new_password = new_passwords.uniq[0]
error_message = translate(locale, "Password should not be longer than 55 characters") if new_password.empty?
env.response.status_code = 400 error_message = translate(locale, "Password cannot be empty")
next templated "error" env.response.status_code = 401
end next templated "error"
end
if !Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) if new_password.bytesize > 55
error_message = translate(locale, "Incorrect password") error_message = translate(locale, "Password should not be longer than 55 characters")
env.response.status_code = 401 env.response.status_code = 400
next templated "error" next templated "error"
end end
new_password = Crypto::Bcrypt::Password.create(new_password, cost: 10) if !Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55))
PG_DB.exec("UPDATE users SET password = $1 WHERE email = $2", new_password.to_s, user.email) error_message = translate(locale, "Incorrect password")
env.response.status_code = 401
next templated "error"
end end
new_password = Crypto::Bcrypt::Password.create(new_password, cost: 10)
PG_DB.exec("UPDATE users SET password = $1 WHERE email = $2", new_password.to_s, user.email)
env.redirect referer env.redirect referer
end end
@ -2134,15 +2138,15 @@ get "/delete_account" do |env|
sid = env.get? "sid" sid = env.get? "sid"
referer = get_referer(env) referer = get_referer(env)
if user if !user
user = user.as(User) next env.redirect referer
sid = sid.as(String)
csrf_token = generate_response(sid, {":delete_account"}, HMAC_KEY, PG_DB)
templated "delete_account"
else
env.redirect referer
end end
user = user.as(User)
sid = sid.as(String)
csrf_token = generate_response(sid, {":delete_account"}, HMAC_KEY, PG_DB)
templated "delete_account"
end end
post "/delete_account" do |env| post "/delete_account" do |env|
@ -2152,28 +2156,30 @@ post "/delete_account" do |env|
sid = env.get? "sid" sid = env.get? "sid"
referer = get_referer(env) referer = get_referer(env)
if user if !user
user = user.as(User) next env.redirect referer
sid = sid.as(String) end
token = env.params.body["csrf_token"]?
begin user = user.as(User)
validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) sid = sid.as(String)
rescue ex token = env.params.body["csrf_token"]?
error_message = ex.message
env.response.status_code = 400
next templated "error"
end
view_name = "subscriptions_#{sha256(user.email)}" begin
PG_DB.exec("DELETE FROM users * WHERE email = $1", user.email) validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale)
PG_DB.exec("DELETE FROM session_ids * WHERE email = $1", user.email) rescue ex
PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}") error_message = ex.message
env.response.status_code = 400
next templated "error"
end
env.request.cookies.each do |cookie| view_name = "subscriptions_#{sha256(user.email)}"
cookie.expires = Time.utc(1990, 1, 1) PG_DB.exec("DELETE FROM users * WHERE email = $1", user.email)
env.response.cookies << cookie PG_DB.exec("DELETE FROM session_ids * WHERE email = $1", user.email)
end PG_DB.exec("DROP MATERIALIZED VIEW #{view_name}")
env.request.cookies.each do |cookie|
cookie.expires = Time.utc(1990, 1, 1)
env.response.cookies << cookie
end end
env.redirect referer env.redirect referer
@ -2186,15 +2192,15 @@ get "/clear_watch_history" do |env|
sid = env.get? "sid" sid = env.get? "sid"
referer = get_referer(env) referer = get_referer(env)
if user if !user
user = user.as(User) next env.redirect referer
sid = sid.as(String)
csrf_token = generate_response(sid, {":clear_watch_history"}, HMAC_KEY, PG_DB)
templated "clear_watch_history"
else
env.redirect referer
end end
user = user.as(User)
sid = sid.as(String)
csrf_token = generate_response(sid, {":clear_watch_history"}, HMAC_KEY, PG_DB)
templated "clear_watch_history"
end end
post "/clear_watch_history" do |env| post "/clear_watch_history" do |env|
@ -2204,22 +2210,23 @@ post "/clear_watch_history" do |env|
sid = env.get? "sid" sid = env.get? "sid"
referer = get_referer(env) referer = get_referer(env)
if user if !user
user = user.as(User) next env.redirect referer
sid = sid.as(String) end
token = env.params.body["csrf_token"]?
begin user = user.as(User)
validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale) sid = sid.as(String)
rescue ex token = env.params.body["csrf_token"]?
error_message = ex.message
env.response.status_code = 400
next templated "error"
end
PG_DB.exec("UPDATE users SET watched = '{}' WHERE email = $1", user.email) begin
validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale)
rescue ex
error_message = ex.message
env.response.status_code = 400
next templated "error"
end end
PG_DB.exec("UPDATE users SET watched = '{}' WHERE email = $1", user.email)
env.redirect referer env.redirect referer
end end
@ -2230,25 +2237,25 @@ get "/authorize_token" do |env|
sid = env.get? "sid" sid = env.get? "sid"
referer = get_referer(env) referer = get_referer(env)
if user if !user
user = user.as(User) next env.redirect referer
sid = sid.as(String) end
csrf_token = generate_response(sid, {":authorize_token"}, HMAC_KEY, PG_DB)
scopes = env.params.query["scopes"]?.try &.split(",")
scopes ||= [] of String
callback_url = env.params.query["callback_url"]? user = user.as(User)
if callback_url sid = sid.as(String)
callback_url = URI.parse(callback_url) csrf_token = generate_response(sid, {":authorize_token"}, HMAC_KEY, PG_DB)
end
expire = env.params.query["expire"]?.try &.to_i? scopes = env.params.query["scopes"]?.try &.split(",")
scopes ||= [] of String
templated "authorize_token" callback_url = env.params.query["callback_url"]?
else if callback_url
env.redirect referer callback_url = URI.parse(callback_url)
end end
expire = env.params.query["expire"]?.try &.to_i?
templated "authorize_token"
end end
post "/authorize_token" do |env| post "/authorize_token" do |env|
@ -2258,44 +2265,46 @@ post "/authorize_token" do |env|
sid = env.get? "sid" sid = env.get? "sid"
referer = get_referer(env) referer = get_referer(env)
if user if !user
user = env.get("user").as(User) next env.redirect referer
sid = sid.as(String) end
token = env.params.body["csrf_token"]?
begin
validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale)
rescue ex
error_message = ex.message
env.response.status_code = 400
next templated "error"
end
scopes = env.params.body.select { |k, v| k.match(/^scopes\[\d+\]$/) }.map { |k, v| v } user = env.get("user").as(User)
callback_url = env.params.body["callbackUrl"]? sid = sid.as(String)
expire = env.params.body["expire"]?.try &.to_i? token = env.params.body["csrf_token"]?
access_token = generate_token(user.email, scopes, expire, HMAC_KEY, PG_DB) begin
validate_request(token, sid, env.request, HMAC_KEY, PG_DB, locale)
rescue ex
error_message = ex.message
env.response.status_code = 400
next templated "error"
end
if callback_url scopes = env.params.body.select { |k, v| k.match(/^scopes\[\d+\]$/) }.map { |k, v| v }
access_token = URI.escape(access_token) callback_url = env.params.body["callbackUrl"]?
url = URI.parse(callback_url) expire = env.params.body["expire"]?.try &.to_i?
if url.query access_token = generate_token(user.email, scopes, expire, HMAC_KEY, PG_DB)
query = HTTP::Params.parse(url.query.not_nil!)
else
query = HTTP::Params.new
end
query["token"] = access_token if callback_url
url.query = query.to_s access_token = URI.escape(access_token)
url = URI.parse(callback_url)
env.redirect url.to_s if url.query
query = HTTP::Params.parse(url.query.not_nil!)
else else
csrf_token = "" query = HTTP::Params.new
env.set "access_token", access_token
templated "authorize_token"
end end
query["token"] = access_token
url.query = query.to_s
env.redirect url.to_s
else
csrf_token = ""
env.set "access_token", access_token
templated "authorize_token"
end end
end end

Loading…
Cancel
Save