FEATURE: remove support for legacy auth tokens

2018-05-04 10:11:58 +10:00 · 2018-05-04 10:11:58 +10:00 · 3a06cb461e
parent 62a8904729
commit 3a06cb461e
5 changed files with 22 additions and 31 deletions
--- a/app/models/user_auth_token.rb
+++ b/app/models/user_auth_token.rb
@ -4,6 +4,9 @@ require 'digest/sha1'
 class UserAuthToken < ActiveRecord::Base
  belongs_to :user
  # TODO 2019: remove this line
  self.ignored_columns = ["legacy"]
  ROTATE_TIME = 10.minutes
  # used when token did not arrive at client
  URGENT_ROTATE_TIME = 1.minute
@ -48,9 +51,8 @@ class UserAuthToken < ActiveRecord::Base
    expire_before = SiteSetting.maximum_session_age.hours.ago
    user_token = find_by("(auth_token = :token OR
-                          prev_auth_token = :token OR
+                          prev_auth_token = :token) AND rotated_at > :expire_before",
-                          (auth_token = :unhashed_token AND legacy)) AND rotated_at > :expire_before",
+                          token: token, expire_before: expire_before)
                          token: token, unhashed_token: unhashed_token, expire_before: expire_before)
    if !user_token
@ -180,7 +182,6 @@ end
 #  prev_auth_token :string           not null
 #  user_agent      :string
 #  auth_token_seen :boolean          default(FALSE), not null
 #  legacy          :boolean          default(FALSE), not null
 #  client_ip       :inet
 #  rotated_at      :datetime         not null
 #  created_at      :datetime         not null
--- a/db/fixtures/009_users.rb
+++ b/db/fixtures/009_users.rb
@ -94,6 +94,17 @@ Migration::ColumnDropper.drop(
  }
 )
 Migration::ColumnDropper.drop(
  table: 'user_auth_tokens',
  after_migration: 'RemoveLegacyAuthToken',
  columns: %w[
    legacy
  ],
  on_drop: ->() {
    STDERR.puts 'Removing user_auth_token legacy column!'
  }
 )
 # User for the smoke tests
 if ENV["SMOKE"] == "1"
  UserEmail.seed do |ue|
--- a/db/migrate/20180504000531_remove_legacy_auth_token.rb
+++ b/db/migrate/20180504000531_remove_legacy_auth_token.rb
@ -0,0 +1,5 @@
 class RemoveLegacyAuthToken < ActiveRecord::Migration[5.1]
  def change
    # placeholder so we can drop column in 009_users.rb
  end
 end
--- a/spec/components/auth/default_current_user_provider_spec.rb
+++ b/spec/components/auth/default_current_user_provider_spec.rb
@ -169,26 +169,6 @@ describe Auth::DefaultCurrentUserProvider do
    expect(provider("/topic/anything/goes", method: "GET").should_update_last_seen?).to eq(true)
  end
  it "correctly supports legacy tokens" do
    user = Fabricate(:user)
    token = SecureRandom.hex(16)
    user_token = UserAuthToken.create!(user_id: user.id, auth_token: token,
                                       prev_auth_token: token, legacy: true,
                                       rotated_at: Time.zone.now
                                      )
    prov = provider("/", "HTTP_COOKIE" => "_t=#{user_token.auth_token}")
    expect(prov.current_user.id).to eq(user.id)
    # sets a new token up cause it got a global token
    cookies = {}
    prov.refresh_session(user, {}, cookies)
    user.reload
    expect(user.user_auth_tokens.count).to eq(2)
    expect(cookies["_t"][:value]).not_to eq(token)
  end
  it "correctly rotates tokens" do
    SiteSetting.maximum_session_age = 3
    user = Fabricate(:user)
--- a/spec/models/user_auth_token_spec.rb
+++ b/spec/models/user_auth_token_spec.rb
@ -31,7 +31,7 @@ describe UserAuthToken do
  end
-  it "can lookup both hashed and unhashed" do
+  it "can lookup hashed" do
    user = Fabricate(:user)
    token = UserAuthToken.generate!(user_id: user.id,
@ -45,12 +45,6 @@ describe UserAuthToken do
    lookup_token = UserAuthToken.lookup(token.auth_token)
    expect(lookup_token).to eq(nil)
    token.update_columns(legacy: true)
    lookup_token = UserAuthToken.lookup(token.auth_token)
    expect(user.id).to eq(lookup_token.user.id)
  end
  it "can validate token was seen at lookup time" do