Rebase fixes

This commit is contained in:
syeopite 2023-07-25 15:40:06 -07:00
parent 71f3053c7b
commit eb70eb3747
No known key found for this signature in database
GPG Key ID: A73C186DA3955A1A
3 changed files with 16 additions and 7 deletions

View File

@ -1 +0,0 @@
psql invidious kemal -c "ALTER TABLE users ADD COLUMN totp_secret VARCHAR(128)"

View File

@ -0,0 +1,11 @@
module Invidious::Database::Migrations
class AddTotpSecretToUsersTable < Migration
version 11
def up(conn : DB::Connection)
conn.exec <<-SQL
ALTER TABLE users ADD COLUMN totp_secret VARCHAR(128)
SQL
end
end
end

View File

@ -24,7 +24,7 @@ module Invidious::Routes::Account
user = user.as(User) user = user.as(User)
sid = sid.as(String) sid = sid.as(String)
if user.totp_secret && env.response.cookies["2faVerified"]?.try &.value != "1" || nil if user.totp_secret && env.request.cookies["2faVerified"]?.try &.value != "1" || nil
return call_totp_validator(env, user, sid, locale) return call_totp_validator(env, user, sid, locale)
end end
@ -461,15 +461,14 @@ module Invidious::Routes::Account
end end
# There are two routes we can go here. # There are two routes we can go here.
# 1. Where the user is already logged in and is # 1. Where the user is already logged in and is confirming a dangerous task.
# confirming an dangerous task.
# 2. The user is logging in. # 2. The user is logging in.
# #
# This can be detected by the hidden email and password parameter # The latter can be detected by the hidden email and password parameter
# https://stackoverflow.com/a/574698 # If we have the email and password variables set then that means we are currently logging in
if email && password if email && password
# Verify the password again for extra security # Verify the password
if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55)) if Crypto::Bcrypt::Password.new(user.password.not_nil!).verify(password.byte_slice(0, 55))
sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32)) sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.utc) PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.utc)