liquid_feedback_frontend
view model/session.lua @ 1582:b4a377306a34
Allow fetching roles during token exchange
| author | bsw | 
|---|---|
| date | Tue Jan 26 17:42:36 2021 +0100 (2021-01-26) | 
| parents | 0d74a25bd399 | 
| children | 
 line source
     1 Session = mondelefant.new_class()
     2 Session.table = 'session'
     3 Session.primary_key = { 'ident' } 
     5 Session:add_reference{
     6   mode          = 'm1',
     7   to            = "Member",
     8   this_key      = 'member_id',
     9   that_key      = 'id',
    10   ref           = 'member',
    11 }
    13 Session:add_reference{
    14   mode          = 'm1',
    15   to            = "Member",
    16   this_key      = 'real_member_id',
    17   that_key      = 'id',
    18   ref           = 'real_member',
    19 }
    21 local secret_length = 24
    22 local secret_alphabet = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
    23 local secret_purposes = { "oauth", "_other" }
    24 for idx, purpose in ipairs(secret_purposes) do
    25   secret_purposes[purpose] = idx
    26 end
    28 local function random_string(length_multiplier)
    29   return multirand.string(
    30     secret_length * (length_multiplier or 1),
    31     secret_alphabet
    32   )
    33 end
    35 function Session:new()
    36   local session = self.prototype.new(self)  -- super call
    37   session.ident             = random_string()
    38   session.additional_secret = random_string(#secret_purposes)
    39   session:save()
    40   return session
    41 end
    43 function Session.object:set_cookie()
    44   request.set_cookie{
    45     name = config.cookie_name,
    46     value = self.ident,
    47     samesite = "none"
    48   }
    49   request.set_cookie{
    50     name = config.cookie_name_samesite,
    51     value = self.ident
    52   }
    53 end
    55 function Session.object:additional_secret_for(purpose)
    56   local use_hash = false
    57   local idx = secret_purposes[purpose]
    58   if not idx then
    59     idx = assert(secret_purposes._other, "No other secrets supported")
    60     use_hash = true
    61   end
    62   local from_pos = secret_length * (idx-1) + 1
    63   local to_pos = from_pos + secret_length - 1
    64   local secret = string.sub(self.additional_secret, from_pos, to_pos)
    65   if #secret ~=  secret_length then
    66     self:destroy()
    67     error("Session state invalid")
    68   end
    69   if use_hash then
    70     local moonhash = require "moonhash"  -- TODO: auto loader for libraries in WebMCP?
    71     secret = moonhash.shake256(secret .. "\0" .. purpose, secret_length, secret_alphabet)
    72   end
    73   return secret
    74 end
    76 function Session:by_ident(ident)
    77   local selector = self:new_selector()
    78   selector:add_where{ 'ident = ?', ident }
    79   selector:add_field{ 'authority_uid' }
    80   selector:optional_object_mode()
    81   return selector:exec()
    82 end
    84 function Session.object:has_access(level)
    85   if level == "member" then
    86     if app.session.member_id then
    87       return true
    88     else
    89       return false
    90     end
    92   elseif level == "everything" then
    93     if self:has_access("member") or config.public_access == "everything" then
    94       return true
    95     else
    96       return false
    97     end
    99   elseif level == "all_pseudonymous" then
   100     if self:has_access("everything") or config.public_access == "all_pseudonymous" then
   101       return true
   102     else
   103       return false
   104     end
   106   elseif level == "authors_pseudonymous" then
   107     if self:has_access("all_pseudonymous") or config.public_access == "authors_pseudonymous" then
   108       return true
   109     else
   110       return false
   111     end
   113   elseif level == "anonymous" then
   114     if self:has_access("authors_pseudonymous") or config.public_access == "anonymous" then
   115       return true
   116     else
   117       return false
   118     end
   120   end
   122   error("invalid access level")
   123 end
