[server] Use correct app while updating ott table
This commit is contained in:
Neeraj Gupta
parent
6bf22fa864
commit
73eacfb30d
4 changed files with 23 additions and 18 deletions
|
|
@ -1,11 +1,9 @@
|
|||
|
||||
-- Add unique index on otts for email_hash,app,ott
|
||||
BEGIN;
|
||||
ALTER TABLE
|
||||
otts DROP CONSTRAINT unique_otts_emailhash_ott;
|
||||
otts DROP CONSTRAINT IF EXISTS unique_otts_emailhash_app_ott;
|
||||
|
||||
ALTER TABLE
|
||||
otts
|
||||
ADD
|
||||
CONSTRAINT unique_otts_emailhash_app_ott UNIQUE (ott,app, email_hash);
|
||||
COMMIT;
|
||||
CONSTRAINT unique_otts_emailhash_ott UNIQUE (ott, email_hash);
|
||||
COMMIT;
|
||||
|
|
@ -1,2 +1,9 @@
|
|||
DROP TRIGGER IF EXISTS update_location_tag_updated_at ON location_tag;
|
||||
DROP TABLE location_tag;
|
||||
BEGIN;
|
||||
ALTER TABLE
|
||||
otts DROP CONSTRAINT IF EXISTS unique_otts_emailhash_ott;
|
||||
|
||||
ALTER TABLE
|
||||
otts
|
||||
ADD
|
||||
CONSTRAINT unique_otts_emailhash_app_ott UNIQUE (ott,app, email_hash);
|
||||
COMMIT;
|
||||
|
|
@ -140,7 +140,7 @@ func (c *UserController) verifyEmailOtt(context *gin.Context, email string, ott
|
|||
if err != nil {
|
||||
return stacktrace.Propagate(err, "")
|
||||
}
|
||||
wrongAttempt, err := c.UserAuthRepo.GetMaxWrongAttempts(emailHash)
|
||||
wrongAttempt, err := c.UserAuthRepo.GetMaxWrongAttempts(emailHash, auth.GetApp(context))
|
||||
if err != nil {
|
||||
return stacktrace.Propagate(err, "")
|
||||
}
|
||||
|
|
@ -166,12 +166,12 @@ func (c *UserController) verifyEmailOtt(context *gin.Context, email string, ott
|
|||
}
|
||||
}
|
||||
if !isValidOTT {
|
||||
if err = c.UserAuthRepo.RecordWrongAttemptForActiveOtt(emailHash); err != nil {
|
||||
if err = c.UserAuthRepo.RecordWrongAttemptForActiveOtt(emailHash, auth.GetApp(context)); err != nil {
|
||||
log.WithError(err).Warn("Failed to track wrong attempt")
|
||||
}
|
||||
return stacktrace.Propagate(ente.ErrIncorrectOTT, "")
|
||||
}
|
||||
err = c.UserAuthRepo.RemoveOTT(emailHash, ott)
|
||||
err = c.UserAuthRepo.RemoveOTT(emailHash, ott, auth.GetApp(context))
|
||||
if err != nil {
|
||||
return stacktrace.Propagate(err, "")
|
||||
}
|
||||
|
|
|
|||
|
|
@ -20,14 +20,14 @@ type UserAuthRepository struct {
|
|||
func (repo *UserAuthRepository) AddOTT(emailHash string, app ente.App, ott string, expirationTime int64) error {
|
||||
_, err := repo.DB.Exec(`INSERT INTO otts(email_hash, ott, creation_time, expiration_time, app)
|
||||
VALUES($1, $2, $3, $4, $5)
|
||||
ON CONFLICT ON CONSTRAINT unique_otts_emailhash_ott DO UPDATE SET creation_time = $3, expiration_time = $4`,
|
||||
ON CONFLICT ON CONSTRAINT unique_otts_emailhash_app_ott DO UPDATE SET creation_time = $3, expiration_time = $4`,
|
||||
emailHash, ott, time.Microseconds(), expirationTime, app)
|
||||
return stacktrace.Propagate(err, "")
|
||||
}
|
||||
|
||||
// RemoveOTT removes the specified OTT (to be used when an OTT has been consumed)
|
||||
func (repo *UserAuthRepository) RemoveOTT(emailHash string, ott string) error {
|
||||
_, err := repo.DB.Exec(`DELETE FROM otts WHERE email_hash = $1 AND ott = $2`, emailHash, ott)
|
||||
func (repo *UserAuthRepository) RemoveOTT(emailHash string, ott string, app ente.App) error {
|
||||
_, err := repo.DB.Exec(`DELETE FROM otts WHERE email_hash = $1 AND ott = $2 AND app = $3`, emailHash, ott, app)
|
||||
return stacktrace.Propagate(err, "")
|
||||
}
|
||||
|
||||
|
|
@ -69,9 +69,9 @@ func (repo *UserAuthRepository) GetValidOTTs(emailHash string, app ente.App) ([]
|
|||
return otts, nil
|
||||
}
|
||||
|
||||
func (repo *UserAuthRepository) GetMaxWrongAttempts(emailHash string) (int, error) {
|
||||
row := repo.DB.QueryRow(`SELECT COALESCE(MAX(wrong_attempt),0) FROM otts WHERE email_hash = $1 AND expiration_time > $2`,
|
||||
emailHash, time.Microseconds())
|
||||
func (repo *UserAuthRepository) GetMaxWrongAttempts(emailHash string, app ente.App) (int, error) {
|
||||
row := repo.DB.QueryRow(`SELECT COALESCE(MAX(wrong_attempt),0) FROM otts WHERE email_hash = $1 AND expiration_time > $2 AND app = $3`,
|
||||
emailHash, time.Microseconds(), app)
|
||||
var wrongAttempt int
|
||||
if err := row.Scan(&wrongAttempt); err != nil {
|
||||
return 0, stacktrace.Propagate(err, "Failed to scan row")
|
||||
|
|
@ -81,9 +81,9 @@ func (repo *UserAuthRepository) GetMaxWrongAttempts(emailHash string) (int, erro
|
|||
|
||||
// RecordWrongAttemptForActiveOtt increases the wrong_attempt count for given emailHash and active ott.
|
||||
// Assuming tha we keep deleting expired OTT, max(wrong_attempt) can be used to track brute-force attack
|
||||
func (repo *UserAuthRepository) RecordWrongAttemptForActiveOtt(emailHash string) error {
|
||||
func (repo *UserAuthRepository) RecordWrongAttemptForActiveOtt(emailHash string, app ente.App) error {
|
||||
_, err := repo.DB.Exec(`UPDATE otts SET wrong_attempt = otts.wrong_attempt + 1
|
||||
WHERE email_hash = $1 AND expiration_time > $2`, emailHash, time.Microseconds())
|
||||
WHERE email_hash = $1 AND expiration_time > $2 AND app=$3`, emailHash, time.Microseconds(), app)
|
||||
if err != nil {
|
||||
return stacktrace.Propagate(err, "Failed to update wrong attempt count")
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue