liquid_feedback_frontend

diff model/session.lua @ 1309:32cc544d5a5b

find changesets by author, revision, files, or words in the commit message
Cumulative patch for upcoming frontend version 4
author bsw/jbe
date Sun Jul 15 14:07:29 2018 +0200 (2018-07-15)
parents aefef1556d55
children 3e9b0f1adec3
line diff
     1.1 --- a/model/session.lua	Thu Jun 23 03:30:57 2016 +0200
     1.2 +++ b/model/session.lua	Sun Jul 15 14:07:29 2018 +0200
     1.3 @@ -10,21 +10,57 @@
     1.4    ref           = 'member',
     1.5  }
     1.6  
     1.7 -local function random_string()
     1.8 +Session:add_reference{
     1.9 +  mode          = 'm1',
    1.10 +  to            = "Member",
    1.11 +  this_key      = 'real_member_id',
    1.12 +  that_key      = 'id',
    1.13 +  ref           = 'real_member',
    1.14 +}
    1.15 +
    1.16 +local secret_length = 24
    1.17 +local secret_alphabet = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
    1.18 +local secret_purposes = { "oauth", "csrf", "_other" }
    1.19 +for idx, purpose in ipairs(secret_purposes) do
    1.20 +  secret_purposes[purpose] = idx
    1.21 +end
    1.22 +
    1.23 +local function random_string(length_multiplier)
    1.24    return multirand.string(
    1.25 -    32,
    1.26 -    '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
    1.27 +    secret_length * (length_multiplier or 1),
    1.28 +    secret_alphabet
    1.29    )
    1.30  end
    1.31  
    1.32  function Session:new()
    1.33    local session = self.prototype.new(self)  -- super call
    1.34    session.ident             = random_string()
    1.35 -  session.additional_secret = random_string()
    1.36 -  session:save() 
    1.37 +  session.additional_secret = random_string(#secret_purposes)
    1.38 +  session:save()
    1.39    return session
    1.40  end
    1.41  
    1.42 +function Session.object:additional_secret_for(purpose)
    1.43 +  local use_hash = false
    1.44 +  local idx = secret_purposes[purpose]
    1.45 +  if not idx then
    1.46 +    idx = assert(secret_purposes._other, "No other secrets supported")
    1.47 +    use_hash = true
    1.48 +  end
    1.49 +  local from_pos = secret_length * (idx-1) + 1
    1.50 +  local to_pos = from_pos + secret_length - 1
    1.51 +  local secret = string.sub(self.additional_secret, from_pos, to_pos)
    1.52 +  if #secret ~=  secret_length then
    1.53 +    self:destroy()
    1.54 +    error("Session state invalid")
    1.55 +  end
    1.56 +  if use_hash then
    1.57 +    local moonhash = require "moonhash"  -- TODO: auto loader for libraries in WebMCP?
    1.58 +    secret = moonhash.shake256(secret .. "\0" .. purpose, secret_length, secret_alphabet)
    1.59 +  end
    1.60 +  return secret
    1.61 +end
    1.62 +
    1.63  function Session:by_ident(ident)
    1.64    local selector = self:new_selector()
    1.65    selector:add_where{ 'ident = ?', ident }

Impressum / About Us