jro_apps/redmine Commit - r15792:5d4b5fd1f68a

Allow "stay logged in" from multiple browsers (#10840)....

Jean-Philippe Lang -

r15792:5d4b5fd1f68a

parent child

Context file:

r15792:5d4b5fd1f68a

Collapse all files

app/models/token.rb +56 -4

             # Redmine - project management software
             # Copyright (C) 2006-2016  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             class Token < ActiveRecord::Base
               belongs_to :user
               validates_uniqueness_of :value
               attr_protected :id
               before_create :delete_previous_tokens, :generate_new_token
               cattr_accessor :validity_time
               self.validity_time = 1.day
+              class << self
+                attr_reader :actions
+                def add_action(name, options)
+                  options.assert_valid_keys(:max_instances, :validity_time)
+                  @actions ||= {}
+                  @actions[name.to_s] = options
+                end
+              end
+              add_action :api,       max_instances: 1,  validity_time: nil
+              add_action :autologin, max_instances: 10, validity_time: Proc.new { Setting.autologin.to_i.days }
+              add_action :feeds,     max_instances: 1,  validity_time: nil
+              add_action :recovery,  max_instances: 1,  validity_time: Proc.new { Token.validity_time }
+              add_action :register,  max_instances: 1,  validity_time: Proc.new { Token.validity_time }
+              add_action :session,   max_instances: 10, validity_time: nil
               def generate_new_token
                 self.value = Token.generate_token_value
               end
               # Return true if token has expired
               def expired?
-                return Time.now > self.created_on + self.class.validity_time
+                return created_on < self.class.invalid_when_created_before(action)
+              end
+              def max_instances
+                Token.actions.has_key?(action) ? Token.actions[action][:max_instances] : 1
+              end
+              def self.invalid_when_created_before(action = nil)
+                if Token.actions.has_key?(action)
+                  validity_time = Token.actions[action][:validity_time]
+                  validity_time = validity_time.call(action) if validity_time.respond_to? :call
+                else
+                  validity_time = self.validity_time
+                end
+                if validity_time.nil?
+                else
+                  Time.now - validity_time
+                end
               end
               # Delete all expired tokens
               def self.destroy_expired
-                Token.where("action NOT IN (?) AND created_on < ?", ['feeds', 'api', 'session'], Time.now - validity_time).delete_all
+                t = Token.arel_table
+                # Unknown actions have default validity_time
+                condition = t[:action].not_in(self.actions.keys).and(t[:created_on].lt(invalid_when_created_before))
+                self.actions.each do |action, options|
+                  validity_time = invalid_when_created_before(action)
+                  # Do not delete tokens, which don't become invalid
+                  next if validity_time.nil?
+                  condition = condition.or(
+                    t[:action].eq(action).and(t[:created_on].lt(validity_time))
+                  )
+                end
+                Token.where(condition).delete_all
               end
               # Returns the active user who owns the key for the given action
               def self.find_active_user(action, key, validity_days=nil)
                 user = find_user(action, key, validity_days)
                 if user && user.active?
                   user
                 end
               end
               # Returns the user who owns the key for the given action
               def self.find_user(action, key, validity_days=nil)
                 token = find_token(action, key, validity_days)
                 if token
                   token.user
                 end
               end
               # Returns the token for action and key with an optional
               # validity duration (in number of days)
               def self.find_token(action, key, validity_days=nil)
                 action = action.to_s
                 key = key.to_s
                 return nil unless action.present? && key =~ /\A[a-z0-9]+\z/i
                 token = Token.where(:action => action, :value => key).first
                 if token && (token.action == action) && (token.value == key) && token.user
                   if validity_days.nil? || (token.created_on > validity_days.days.ago)
                     token
                   end
                 end
               end
               def self.generate_token_value
                 Redmine::Utils.random_hex(20)
               end
               private
               # Removes obsolete tokens (same user and action)
               def delete_previous_tokens
                 if user
                   scope = Token.where(:user_id => user.id, :action => action)
-                  if action == 'session'
+                  if max_instances > 1
-                    ids = scope.order(:updated_on => :desc).offset(9).ids
+                    ids = scope.order(:updated_on => :desc).offset(max_instances - 1).ids
                     if ids.any?
                       Token.delete(ids)
                     end
                   else
                     scope.delete_all
                   end
                 end
               end
             end

test/unit/token_test.rb +26 -11

             # Redmine - project management software
             # Copyright (C) 2006-2016  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             require File.expand_path('../../test_helper', __FILE__)
             class TokenTest < ActiveSupport::TestCase
               fixtures :tokens, :users, :email_addresses
               def test_create
                 token = Token.new
                 token.save
                 assert_equal 40, token.value.length
                 assert !token.expired?
               end
               def test_create_should_remove_existing_tokens
                 user = User.find(1)
-                t1 = Token.create(:user => user, :action => 'autologin')
+                t1 = Token.create(:user => user, :action => 'register')
-                t2 = Token.create(:user => user, :action => 'autologin')
+                t2 = Token.create(:user => user, :action => 'register')
                 assert_not_equal t1.value, t2.value
                 assert !Token.exists?(t1.id)
                 assert  Token.exists?(t2.id)
               end
-              def test_create_session_token_should_keep_last_10_tokens
+              def test_create_session_or_autologin_token_should_keep_last_10_tokens
                 Token.delete_all
                 user = User.find(1)
+                ["autologin", "session"].each do |action|
                   assert_difference 'Token.count', 10 do
-.times { Token.create!(:user => user, :action => 'session') }
+.times { Token.create!(:user => user, :action => action) }
                   end
                   assert_no_difference 'Token.count' do
-                  Token.create!(:user => user, :action => 'session')
+                    Token.create!(:user => user, :action => action)
+                  end
                 end
               end
-              def test_destroy_expired_should_not_destroy_feeds_and_api_tokens
+              def test_destroy_expired_should_not_destroy_session_feeds_and_api_tokens
                 Token.delete_all
                 Token.create!(:user_id => 1, :action => 'api', :created_on => 7.days.ago)
                 Token.create!(:user_id => 1, :action => 'feeds', :created_on => 7.days.ago)
+                Token.create!(:user_id => 1, :action => 'session', :created_on => 7.days.ago)
                 assert_no_difference 'Token.count' do
                   assert_equal 0, Token.destroy_expired
                 end
               end
               def test_destroy_expired_should_destroy_expired_tokens
                 Token.delete_all
-                Token.create!(:user_id => 1, :action => 'autologin', :created_on => 7.days.ago)
+                # Expiration of autologin tokens is determined by Setting.autologin
-                Token.create!(:user_id => 2, :action => 'autologin', :created_on => 3.days.ago)
+                Setting.autologin = "7"
-                Token.create!(:user_id => 3, :action => 'autologin', :created_on => 1.hour.ago)
+                Token.create!(:user_id => 2, :action => 'autologin', :created_on => 3.weeks.ago)
+                Token.create!(:user_id => 3, :action => 'autologin', :created_on => 3.days.ago)
+                # Expiration of register and recovery tokens is determined by Token.validity_time
+                Token.create!(:user_id => 1, :action => 'register', :created_on => 7.days.ago)
+                Token.create!(:user_id => 3, :action => 'register', :created_on => 7.hours.ago)
+                Token.create!(:user_id => 2, :action => 'recovery', :created_on => 3.days.ago)
+                Token.create!(:user_id => 3, :action => 'recovery', :created_on => 3.hours.ago)
+                # Expiration of tokens with unknown action is determined by Token.validity_time
+                Token.create!(:user_id => 2, :action => 'unknown_action', :created_on => 2.days.ago)
+                Token.create!(:user_id => 3, :action => 'unknown_action', :created_on => 2.hours.ago)
-                assert_difference 'Token.count', -2 do
+                assert_difference 'Token.count', -4 do
-                  assert_equal 2, Token.destroy_expired
+                  assert_equal 4, Token.destroy_expired
                 end
               end
               def test_find_active_user_should_return_user
                 token = Token.create!(:user_id => 1, :action => 'api')
                 assert_equal User.find(1), Token.find_active_user('api', token.value)
               end
               def test_find_active_user_should_return_nil_for_locked_user
                 token = Token.create!(:user_id => 1, :action => 'api')
                 User.find(1).lock!
                 assert_nil Token.find_active_user('api', token.value)
               end
               def test_find_user_should_return_user
                 token = Token.create!(:user_id => 1, :action => 'api')
                 assert_equal User.find(1), Token.find_user('api', token.value)
               end
               def test_find_user_should_return_locked_user
                 token = Token.create!(:user_id => 1, :action => 'api')
                 User.find(1).lock!
                 assert_equal User.find(1), Token.find_user('api', token.value)
               end
               def test_find_token_should_return_the_token
                 token = Token.create!(:user_id => 1, :action => 'api')
                 assert_equal token, Token.find_token('api', token.value)
               end
               def test_find_token_should_return_the_token_with_validity
                 token = Token.create!(:user_id => 1, :action => 'api', :created_on => 1.hour.ago)
                 assert_equal token, Token.find_token('api', token.value, 1)
               end
               def test_find_token_should_return_nil_with_wrong_action
                 token = Token.create!(:user_id => 1, :action => 'feeds')
                 assert_nil Token.find_token('api', token.value)
               end
               def test_find_token_should_return_nil_without_user
                 token = Token.create!(:user_id => 999, :action => 'api')
                 assert_nil Token.find_token('api', token.value)
               end
               def test_find_token_should_return_nil_with_validity_expired
                 token = Token.create!(:user_id => 999, :action => 'api', :created_on => 2.days.ago)
                 assert_nil Token.find_token('api', token.value, 1)
               end
             end

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages