jro_apps/redmine Commit - r15792:5d4b5fd1f68a

Allow "stay logged in" from multiple browsers (#10840)....

Jean-Philippe Lang -

r15792:5d4b5fd1f68a

parent child

Context file:

r15792:5d4b5fd1f68a

Collapse all files

app/models/token.rb +56 -4

                cattr_accessor :validity_time
                self.validity_time = 1.day
+               class << self
+                 attr_reader :actions
+                 def add_action(name, options)
+                   options.assert_valid_keys(:max_instances, :validity_time)
+                   @actions ||= {}
+                   @actions[name.to_s] = options
+                 end
+               end
+               add_action :api,       max_instances: 1,  validity_time: nil
+               add_action :autologin, max_instances: 10, validity_time: Proc.new { Setting.autologin.to_i.days }
+               add_action :feeds,     max_instances: 1,  validity_time: nil
+               add_action :recovery,  max_instances: 1,  validity_time: Proc.new { Token.validity_time }
+               add_action :register,  max_instances: 1,  validity_time: Proc.new { Token.validity_time }
+               add_action :session,   max_instances: 10, validity_time: nil
                def generate_new_token
                  self.value = Token.generate_token_value
                end
                # Return true if token has expired
                def expired?
-                 return Time.now > self.created_on + self.class.validity_time
+                 return created_on < self.class.invalid_when_created_before(action)
+               end
+               def max_instances
+                 Token.actions.has_key?(action) ? Token.actions[action][:max_instances] : 1
+               end
+               def self.invalid_when_created_before(action = nil)
+                 if Token.actions.has_key?(action)
+                   validity_time = Token.actions[action][:validity_time]
+                   validity_time = validity_time.call(action) if validity_time.respond_to? :call
+                 else
+                   validity_time = self.validity_time
+                 end
+                 if validity_time.nil?
+                 else
+                   Time.now - validity_time
+                 end
                end
                # Delete all expired tokens
                def self.destroy_expired
-                 Token.where("action NOT IN (?) AND created_on < ?", ['feeds', 'api', 'session'], Time.now - validity_time).delete_all
+                 t = Token.arel_table
+                 # Unknown actions have default validity_time
+                 condition = t[:action].not_in(self.actions.keys).and(t[:created_on].lt(invalid_when_created_before))
+                 self.actions.each do |action, options|
+                   validity_time = invalid_when_created_before(action)
+                   # Do not delete tokens, which don't become invalid
+                   next if validity_time.nil?
+                   condition = condition.or(
+                     t[:action].eq(action).and(t[:created_on].lt(validity_time))
+                   )
+                 end
+                 Token.where(condition).delete_all
                end
                # Returns the active user who owns the key for the given action
                def delete_previous_tokens
                  if user
                    scope = Token.where(:user_id => user.id, :action => action)
-                   if action == 'session'
-                     ids = scope.order(:updated_on => :desc).offset(9).ids
+                   if max_instances > 1
+                     ids = scope.order(:updated_on => :desc).offset(max_instances - 1).ids
                      if ids.any?
                        Token.delete(ids)
                      end

test/unit/token_test.rb +29 -14

                def test_create_should_remove_existing_tokens
                  user = User.find(1)
-                 t1 = Token.create(:user => user, :action => 'autologin')
-                 t2 = Token.create(:user => user, :action => 'autologin')
+                 t1 = Token.create(:user => user, :action => 'register')
+                 t2 = Token.create(:user => user, :action => 'register')
                  assert_not_equal t1.value, t2.value
                  assert !Token.exists?(t1.id)
                  assert  Token.exists?(t2.id)
                end
-               def test_create_session_token_should_keep_last_10_tokens
+               def test_create_session_or_autologin_token_should_keep_last_10_tokens
                  Token.delete_all
                  user = User.find(1)
-                 assert_difference 'Token.count', 10 do
-.times { Token.create!(:user => user, :action => 'session') }
-                 end
+                 ["autologin", "session"].each do |action|
+                   assert_difference 'Token.count', 10 do
+.times { Token.create!(:user => user, :action => action) }
+                   end
-                 assert_no_difference 'Token.count' do
-                   Token.create!(:user => user, :action => 'session')
+                   assert_no_difference 'Token.count' do
+                     Token.create!(:user => user, :action => action)
+                   end
                  end
                end
-               def test_destroy_expired_should_not_destroy_feeds_and_api_tokens
+               def test_destroy_expired_should_not_destroy_session_feeds_and_api_tokens
                  Token.delete_all
                  Token.create!(:user_id => 1, :action => 'api', :created_on => 7.days.ago)
                  Token.create!(:user_id => 1, :action => 'feeds', :created_on => 7.days.ago)
+                 Token.create!(:user_id => 1, :action => 'session', :created_on => 7.days.ago)
                  assert_no_difference 'Token.count' do
                    assert_equal 0, Token.destroy_expired
                def test_destroy_expired_should_destroy_expired_tokens
                  Token.delete_all
-                 Token.create!(:user_id => 1, :action => 'autologin', :created_on => 7.days.ago)
-                 Token.create!(:user_id => 2, :action => 'autologin', :created_on => 3.days.ago)
-                 Token.create!(:user_id => 3, :action => 'autologin', :created_on => 1.hour.ago)
+                 # Expiration of autologin tokens is determined by Setting.autologin
+                 Setting.autologin = "7"
+                 Token.create!(:user_id => 2, :action => 'autologin', :created_on => 3.weeks.ago)
+                 Token.create!(:user_id => 3, :action => 'autologin', :created_on => 3.days.ago)
+                 # Expiration of register and recovery tokens is determined by Token.validity_time
+                 Token.create!(:user_id => 1, :action => 'register', :created_on => 7.days.ago)
+                 Token.create!(:user_id => 3, :action => 'register', :created_on => 7.hours.ago)
+                 Token.create!(:user_id => 2, :action => 'recovery', :created_on => 3.days.ago)
+                 Token.create!(:user_id => 3, :action => 'recovery', :created_on => 3.hours.ago)
+                 # Expiration of tokens with unknown action is determined by Token.validity_time
+                 Token.create!(:user_id => 2, :action => 'unknown_action', :created_on => 2.days.ago)
+                 Token.create!(:user_id => 3, :action => 'unknown_action', :created_on => 2.hours.ago)
-                 assert_difference 'Token.count', -2 do
-                   assert_equal 2, Token.destroy_expired
+                 assert_difference 'Token.count', -4 do
+                   assert_equal 4, Token.destroy_expired
                  end
                end

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages