2013-10-09 00:10:37 -04:00
|
|
|
require_dependency "auth/current_user_provider"
|
2016-07-27 22:58:49 -04:00
|
|
|
require_dependency "rate_limiter"
|
2013-10-09 00:10:37 -04:00
|
|
|
|
|
|
|
class Auth::DefaultCurrentUserProvider
|
|
|
|
|
2014-05-22 18:13:25 -04:00
|
|
|
CURRENT_USER_KEY ||= "_DISCOURSE_CURRENT_USER".freeze
|
|
|
|
API_KEY ||= "api_key".freeze
|
2016-08-18 00:38:33 -04:00
|
|
|
USER_API_KEY ||= "HTTP_USER_API_KEY".freeze
|
2014-05-22 18:13:25 -04:00
|
|
|
API_KEY_ENV ||= "_DISCOURSE_API".freeze
|
|
|
|
TOKEN_COOKIE ||= "_t".freeze
|
|
|
|
PATH_INFO ||= "PATH_INFO".freeze
|
2016-07-27 22:58:49 -04:00
|
|
|
COOKIE_ATTEMPTS_PER_MIN ||= 10
|
2013-10-09 00:10:37 -04:00
|
|
|
|
|
|
|
# do all current user initialization here
|
|
|
|
def initialize(env)
|
|
|
|
@env = env
|
|
|
|
@request = Rack::Request.new(env)
|
|
|
|
end
|
|
|
|
|
|
|
|
# our current user, return nil if none is found
|
|
|
|
def current_user
|
|
|
|
return @env[CURRENT_USER_KEY] if @env.key?(CURRENT_USER_KEY)
|
|
|
|
|
2014-10-23 22:38:00 -04:00
|
|
|
# bypass if we have the shared session header
|
|
|
|
if shared_key = @env['HTTP_X_SHARED_SESSION_KEY']
|
|
|
|
uid = $redis.get("shared_session_key_#{shared_key}")
|
|
|
|
user = nil
|
|
|
|
if uid
|
|
|
|
user = User.find_by(id: uid.to_i)
|
|
|
|
end
|
|
|
|
@env[CURRENT_USER_KEY] = user
|
|
|
|
return user
|
|
|
|
end
|
|
|
|
|
2014-05-22 18:13:25 -04:00
|
|
|
request = @request
|
2013-10-09 00:10:37 -04:00
|
|
|
|
|
|
|
auth_token = request.cookies[TOKEN_COOKIE]
|
|
|
|
|
|
|
|
current_user = nil
|
|
|
|
|
|
|
|
if auth_token && auth_token.length == 32
|
2016-08-08 20:02:18 -04:00
|
|
|
limiter = RateLimiter.new(nil, "cookie_auth_#{request.ip}", COOKIE_ATTEMPTS_PER_MIN ,60)
|
|
|
|
|
|
|
|
if limiter.can_perform?
|
|
|
|
current_user = User.where(auth_token: auth_token)
|
2016-07-24 22:49:33 -04:00
|
|
|
.where('auth_token_updated_at IS NULL OR auth_token_updated_at > ?',
|
|
|
|
SiteSetting.maximum_session_age.hours.ago)
|
|
|
|
.first
|
2016-08-08 20:02:18 -04:00
|
|
|
end
|
2016-07-27 22:58:49 -04:00
|
|
|
|
|
|
|
unless current_user
|
|
|
|
begin
|
2016-08-08 20:02:18 -04:00
|
|
|
limiter.performed!
|
2016-07-27 22:58:49 -04:00
|
|
|
rescue RateLimiter::LimitExceeded
|
|
|
|
raise Discourse::InvalidAccess
|
|
|
|
end
|
|
|
|
end
|
2013-10-09 00:10:37 -04:00
|
|
|
end
|
|
|
|
|
2014-04-28 13:46:28 -04:00
|
|
|
if current_user && (current_user.suspended? || !current_user.active)
|
2013-10-09 00:10:37 -04:00
|
|
|
current_user = nil
|
|
|
|
end
|
|
|
|
|
2014-05-22 18:13:25 -04:00
|
|
|
if current_user && should_update_last_seen?
|
2014-03-16 20:59:34 -04:00
|
|
|
u = current_user
|
2014-07-17 16:22:46 -04:00
|
|
|
Scheduler::Defer.later "Updating Last Seen" do
|
2014-03-16 20:59:34 -04:00
|
|
|
u.update_last_seen!
|
|
|
|
u.update_ip_address!(request.ip)
|
|
|
|
end
|
2013-10-09 00:10:37 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
# possible we have an api call, impersonate
|
2014-05-22 18:13:25 -04:00
|
|
|
if api_key = request[API_KEY]
|
|
|
|
current_user = lookup_api_user(api_key, request)
|
|
|
|
raise Discourse::InvalidAccess unless current_user
|
|
|
|
@env[API_KEY_ENV] = true
|
2013-10-09 00:10:37 -04:00
|
|
|
end
|
|
|
|
|
2016-08-15 03:58:33 -04:00
|
|
|
# user api key handling
|
|
|
|
if api_key = @env[USER_API_KEY]
|
|
|
|
|
|
|
|
limiter_min = RateLimiter.new(nil, "user_api_min_#{api_key}", SiteSetting.max_user_api_reqs_per_minute, 60)
|
|
|
|
limiter_day = RateLimiter.new(nil, "user_api_day_#{api_key}", SiteSetting.max_user_api_reqs_per_day, 86400)
|
|
|
|
|
|
|
|
unless limiter_day.can_perform?
|
2016-08-25 20:38:46 -04:00
|
|
|
limiter_day.performed!
|
2016-08-15 03:58:33 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
unless limiter_min.can_perform?
|
2016-08-25 20:38:46 -04:00
|
|
|
limiter_min.performed!
|
2016-08-15 03:58:33 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
current_user = lookup_user_api_user(api_key)
|
|
|
|
raise Discourse::InvalidAccess unless current_user
|
|
|
|
|
|
|
|
limiter_min.performed!
|
|
|
|
limiter_day.performed!
|
|
|
|
|
|
|
|
@env[API_KEY_ENV] = true
|
|
|
|
end
|
|
|
|
|
2013-10-09 00:10:37 -04:00
|
|
|
@env[CURRENT_USER_KEY] = current_user
|
|
|
|
end
|
|
|
|
|
2016-07-24 22:07:31 -04:00
|
|
|
def refresh_session(user, session, cookies)
|
2016-08-15 03:58:33 -04:00
|
|
|
return if is_api?
|
|
|
|
|
2016-07-24 22:49:33 -04:00
|
|
|
if user && (!user.auth_token_updated_at || user.auth_token_updated_at <= 1.hour.ago)
|
2016-07-24 22:07:31 -04:00
|
|
|
user.update_column(:auth_token_updated_at, Time.zone.now)
|
|
|
|
cookies[TOKEN_COOKIE] = { value: user.auth_token, httponly: true, expires: SiteSetting.maximum_session_age.hours.from_now }
|
|
|
|
end
|
2016-07-27 22:58:49 -04:00
|
|
|
if !user && cookies.key?(TOKEN_COOKIE)
|
|
|
|
cookies.delete(TOKEN_COOKIE)
|
|
|
|
end
|
2016-07-24 22:07:31 -04:00
|
|
|
end
|
|
|
|
|
2013-10-09 00:10:37 -04:00
|
|
|
def log_on_user(user, session, cookies)
|
2016-07-25 21:37:41 -04:00
|
|
|
legit_token = user.auth_token && user.auth_token.length == 32
|
|
|
|
expired_token = user.auth_token_updated_at && user.auth_token_updated_at < SiteSetting.maximum_session_age.hours.ago
|
|
|
|
|
|
|
|
if !legit_token || expired_token
|
|
|
|
user.update_columns(auth_token: SecureRandom.hex(16),
|
|
|
|
auth_token_updated_at: Time.zone.now)
|
|
|
|
end
|
|
|
|
|
2016-07-22 17:27:30 -04:00
|
|
|
cookies[TOKEN_COOKIE] = { value: user.auth_token, httponly: true, expires: SiteSetting.maximum_session_age.hours.from_now }
|
2013-11-01 19:25:43 -04:00
|
|
|
make_developer_admin(user)
|
2016-04-26 13:08:19 -04:00
|
|
|
enable_bootstrap_mode(user)
|
2013-10-09 00:10:37 -04:00
|
|
|
@env[CURRENT_USER_KEY] = user
|
|
|
|
end
|
|
|
|
|
2013-11-01 19:25:43 -04:00
|
|
|
def make_developer_admin(user)
|
|
|
|
if user.active? &&
|
|
|
|
!user.admin &&
|
|
|
|
Rails.configuration.respond_to?(:developer_emails) &&
|
|
|
|
Rails.configuration.developer_emails.include?(user.email)
|
2014-03-24 03:03:39 -04:00
|
|
|
user.admin = true
|
|
|
|
user.save
|
2013-11-01 19:25:43 -04:00
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2016-04-26 13:08:19 -04:00
|
|
|
def enable_bootstrap_mode(user)
|
|
|
|
Jobs.enqueue(:enable_bootstrap_mode, user_id: user.id) if user.admin && user.last_seen_at.nil? && !SiteSetting.bootstrap_mode_enabled && user.is_singular_admin?
|
|
|
|
end
|
|
|
|
|
2013-10-09 00:10:37 -04:00
|
|
|
def log_off_user(session, cookies)
|
2015-01-27 20:56:25 -05:00
|
|
|
if SiteSetting.log_out_strict && (user = current_user)
|
|
|
|
user.auth_token = nil
|
|
|
|
user.save!
|
2016-05-18 03:27:54 -04:00
|
|
|
|
|
|
|
if user.admin && defined?(Rack::MiniProfiler)
|
|
|
|
# clear the profiling cookie to keep stuff tidy
|
2016-07-27 22:58:49 -04:00
|
|
|
cookies.delete("__profilin")
|
2016-05-18 03:27:54 -04:00
|
|
|
end
|
|
|
|
|
2016-07-04 05:20:30 -04:00
|
|
|
user.logged_out
|
2015-01-27 20:56:25 -05:00
|
|
|
end
|
2016-07-27 22:58:49 -04:00
|
|
|
cookies.delete(TOKEN_COOKIE)
|
2013-10-09 00:10:37 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
# api has special rights return true if api was detected
|
|
|
|
def is_api?
|
|
|
|
current_user
|
2014-05-22 18:42:58 -04:00
|
|
|
@env[API_KEY_ENV]
|
2013-10-09 00:10:37 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
def has_auth_cookie?
|
2014-05-22 18:13:25 -04:00
|
|
|
cookie = @request.cookies[TOKEN_COOKIE]
|
2013-10-09 00:10:37 -04:00
|
|
|
!cookie.nil? && cookie.length == 32
|
|
|
|
end
|
2014-05-22 18:13:25 -04:00
|
|
|
|
|
|
|
def should_update_last_seen?
|
|
|
|
!(@request.path =~ /^\/message-bus\//)
|
|
|
|
end
|
|
|
|
|
|
|
|
protected
|
|
|
|
|
2016-09-02 02:57:41 -04:00
|
|
|
WHITELISTED_WRITE_PATHS ||= [/^\/message-bus\/.*\/poll/, /^\/user-api-key\/revoke$/]
|
2016-08-15 03:58:33 -04:00
|
|
|
def lookup_user_api_user(user_api_key)
|
2016-08-16 03:06:33 -04:00
|
|
|
if api_key = UserApiKey.where(key: user_api_key, revoked_at: nil).includes(:user).first
|
2016-09-02 02:57:41 -04:00
|
|
|
unless api_key.write
|
|
|
|
if @env["REQUEST_METHOD"] != "GET"
|
|
|
|
path = @env["PATH_INFO"]
|
|
|
|
unless WHITELISTED_WRITE_PATHS.any?{|whitelisted| path =~ whitelisted}
|
|
|
|
raise Discourse::InvalidAccess
|
|
|
|
end
|
|
|
|
end
|
2016-08-15 03:58:33 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
api_key.user
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2014-05-22 18:13:25 -04:00
|
|
|
def lookup_api_user(api_key_value, request)
|
2016-06-01 15:48:06 -04:00
|
|
|
if api_key = ApiKey.where(key: api_key_value).includes(:user).first
|
2014-05-22 18:13:25 -04:00
|
|
|
api_username = request["api_username"]
|
2014-11-19 23:21:49 -05:00
|
|
|
|
2016-06-01 15:48:06 -04:00
|
|
|
if api_key.allowed_ips.present? && !api_key.allowed_ips.any? { |ip| ip.include?(request.ip) }
|
|
|
|
Rails.logger.warn("[Unauthorized API Access] username: #{api_username}, IP address: #{request.ip}")
|
2014-11-19 23:21:49 -05:00
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
2014-05-22 18:13:25 -04:00
|
|
|
if api_key.user
|
|
|
|
api_key.user if !api_username || (api_key.user.username_lower == api_username.downcase)
|
|
|
|
elsif api_username
|
|
|
|
User.find_by(username_lower: api_username.downcase)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
2013-10-09 00:10:37 -04:00
|
|
|
end
|