mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-13 10:22:42 +01:00
69ddb0ced6
Summary: Ref T4339. Ref T4310. Currently, sessions look like `"afad85d675fda87a4fadd54"`, and are only issued for logged-in users. To support logged-out CSRF and (eventually) external user sessions, I made two small changes: - First, sessions now have a "kind", which is indicated by a prefix, like `"A/ab987asdcas7dca"`. This mostly allows us to issue session queries more efficiently: we don't have to issue a query at all for anonymous sessions, and can join the correct table for user and external sessions and save a query. Generally, this gives us more debugging information and more opportunity to recover from issues in a user-friendly way, as with the "invalid session" error in this diff. - Secondly, if you load a page and don't have a session, we give you an anonymous session. This is just a secret with no special significance. This does not implement CSRF yet, but gives us a client secret we can use to implement it. Test Plan: - Logged in. - Logged out. - Browsed around. - Logged in again. - Went through link/register. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T4310, T4339 Differential Revision: https://secure.phabricator.com/D8043
85 lines
2.1 KiB
PHP
85 lines
2.1 KiB
PHP
<?php
|
|
|
|
final class PhabricatorAuthSession extends PhabricatorAuthDAO
|
|
implements PhabricatorPolicyInterface {
|
|
|
|
const TYPE_WEB = 'web';
|
|
const TYPE_CONDUIT = 'conduit';
|
|
|
|
protected $userPHID;
|
|
protected $type;
|
|
protected $sessionKey;
|
|
protected $sessionStart;
|
|
protected $sessionExpires;
|
|
|
|
private $identityObject = self::ATTACHABLE;
|
|
|
|
public function getConfiguration() {
|
|
return array(
|
|
self::CONFIG_TIMESTAMPS => false,
|
|
) + parent::getConfiguration();
|
|
}
|
|
|
|
public function getApplicationName() {
|
|
// This table predates the "Auth" application, and really all applications.
|
|
return 'user';
|
|
}
|
|
|
|
public function getTableName() {
|
|
// This is a very old table with a nonstandard name.
|
|
return PhabricatorUser::SESSION_TABLE;
|
|
}
|
|
|
|
public function attachIdentityObject($identity_object) {
|
|
$this->identityObject = $identity_object;
|
|
return $this;
|
|
}
|
|
|
|
public function getIdentityObject() {
|
|
return $this->assertAttached($this->identityObject);
|
|
}
|
|
|
|
public static function getSessionTypeTTL($session_type) {
|
|
switch ($session_type) {
|
|
case self::TYPE_WEB:
|
|
return (60 * 60 * 24 * 30); // 30 days
|
|
case self::TYPE_CONDUIT:
|
|
return (60 * 60 * 24); // 24 hours
|
|
default:
|
|
throw new Exception(pht('Unknown session type "%s".', $session_type));
|
|
}
|
|
}
|
|
|
|
/* -( PhabricatorPolicyInterface )----------------------------------------- */
|
|
|
|
|
|
public function getCapabilities() {
|
|
return array(
|
|
PhabricatorPolicyCapability::CAN_VIEW,
|
|
);
|
|
}
|
|
|
|
public function getPolicy($capability) {
|
|
return PhabricatorPolicies::POLICY_NOONE;
|
|
}
|
|
|
|
public function hasAutomaticCapability($capability, PhabricatorUser $viewer) {
|
|
if (!$viewer->getPHID()) {
|
|
return false;
|
|
}
|
|
|
|
$object = $this->getIdentityObject();
|
|
if ($object instanceof PhabricatorUser) {
|
|
return ($object->getPHID() == $viewer->getPHID());
|
|
} else if ($object instanceof PhabricatorExternalAccount) {
|
|
return ($object->getUserPHID() == $viewer->getPHID());
|
|
}
|
|
|
|
return false;
|
|
}
|
|
|
|
public function describeAutomaticCapability($capability) {
|
|
return pht('A session is visible only to its owner.');
|
|
}
|
|
|
|
}
|