diff --git a/CHANGELOG.md b/CHANGELOG.md index 7a8e40c..acc8976 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ ### Refactor - **Auth/JWT:** Better for auth by JWT (36f49a0) +- **Auth/Middleware:** merge Old Auth{ByCookies, ByPasskey}Middleware (71cd7d7) - **Config:** Remove params `$throw` in Config()->get() (706cc9a) - **RateLimit:** Change last param of isRateLimitHit and rate limit store Namespace (4dd571d) - **Site:** Simple Category Detail get function (ffa6855) diff --git a/apps/components/Site.php b/apps/components/Site.php index dcdc077..7236045 100644 --- a/apps/components/Site.php +++ b/apps/components/Site.php @@ -153,8 +153,15 @@ protected function loadCurUserIdFromCookies() if (strcasecmp($payload['secure_login_ip'], $now_ip_crc) !== 0) return false; } - // Verity $jti is force expired or not by check invalidUserSessionSet - if (app()->redis->sIsMember(Constant::invalidUserSessionSet, $payload['jti'])) return false; + // Verity $jti is force expired or not by checking mapUserSessionToId + $expired_check = app()->redis->zScore(Constant::mapUserSessionToId, $payload['jti']); + if ($expired_check === false) { // session is not see in Zset Cache (may lost or first time init), load from database ( Lazy load... ) + $uid = app()->pdo->createCommand('SELECT `uid` FROM `user_session_log` WHERE sid = :sid AND `expired` != 1 LIMIT 1')->bindParams([ + 'sid' => $payload['jti'] + ])->queryScalar(); + app()->redis->zAdd(Constant::mapUserSessionToId, $uid ?: 0, $payload['jti']); // Store 0 if session -> uid is invalid + if ($uid === false) return false; // this session is not exist or marked as expired + } elseif ($expired_check != $payload['user_id']) return false; // may return (double) 0 , which means already make invalid ; or it check if user obtain this session (may Overdesign) // Check if user want secure access but his environment is not secure if (!app()->request->isSecure() && // if User requests is not secure , then diff --git a/apps/libraries/Constant.php b/apps/libraries/Constant.php index d40fdcf..820eae0 100644 --- a/apps/libraries/Constant.php +++ b/apps/libraries/Constant.php @@ -14,14 +14,12 @@ class Constant const cookie_name = 'rid'; const mapUsernameToId = 'Map:user_username_to_user_id:hash'; - const mapUserPasskeyToId = 'Map:user_passkey_to_user_id:zset'; + const mapUserPasskeyToId = 'Map:user_passkey_to_user_id:zset'; // (double) 0 means invalid + const mapUserSessionToId = 'Map:user_session_to_user_id:zset'; // (double) 0 means invalid // --- invalid Zset --- const invalidUserIdZset = 'Site:invalid_user_id:zset'; - // --- invalid Set --- - const invalidUserSessionSet = 'Site:invalid_user_session:set'; // Store the force invalid session data - // Tracker Use const trackerInvalidInfoHashZset = 'Tracker:invalid_torrent_info_hash:zset'; // FIXME use set instead const trackerAllowedClientList = 'Tracker:allowed_client_list:string'; diff --git a/apps/models/form/Auth/UserLoginForm.php b/apps/models/form/Auth/UserLoginForm.php index 72e2146..1536174 100644 --- a/apps/models/form/Auth/UserLoginForm.php +++ b/apps/models/form/Auth/UserLoginForm.php @@ -133,7 +133,7 @@ protected function isMaxUserSessionsReached() } } - public function LoginFail() + public function LoginFail() // FIXME { app()->redis->zAdd('SITE:fail_login_ip_zset', time(), app()->request->getClientIp()); app()->redis->hIncrBy('SITE:fail_login_ip_count', app()->request->getClientIp(), 1); @@ -164,11 +164,12 @@ private function createUserSession() // Official Payload key $payload = [ 'iss' => config('base.site_url'), + 'sub' => config('base.site_generator'), 'iat' => $timenow, 'jti' => $jti, ]; - $cookieExpire = 0x7fffffff; // for never + $cookieExpire = 0x7fffffff; // Tuesday, January 19, 2038 3:14:07 AM (though it is not security) if ($this->logout === 'yes' || config('security.auto_logout') > 1) { $cookieExpire = $timenow + 15 * 60; // for 15 minutes } diff --git a/apps/models/form/Auth/UserLogoutForm.php b/apps/models/form/Auth/UserLogoutForm.php index 11a5750..acfee24 100644 --- a/apps/models/form/Auth/UserLogoutForm.php +++ b/apps/models/form/Auth/UserLogoutForm.php @@ -66,15 +66,12 @@ public function flush() private function invalidSession() { - // Set this session is expired + app()->cookie->delete(Constant::cookie_name); // Clean cookie + app()->redis->zAdd(Constant::mapUserSessionToId, 0, $this->sid); // Quick Mark this invalid in cache + + // Set this session expired app()->pdo->createCommand('UPDATE `user_session_log` SET `expired` = 1 WHERE sid = :sid')->bindParams([ 'sid' => $this->sid ])->execute(); - - // Clean cookie - app()->cookie->delete(Constant::cookie_name); - - // Mark this invalid - app()->redis->sAdd(Constant::invalidUserSessionSet, $this->sid); } } diff --git a/apps/views/auth/login.php b/apps/views/auth/login.php index ca30c74..e124c4e 100644 --- a/apps/views/auth/login.php +++ b/apps/views/auth/login.php @@ -65,25 +65,25 @@ Advanced Options
- 'disabled' ; 1 - option -> '' ; 2 - force -> 'checked disabled' ?> + 'disabled' ; 0 - option -> '' ; 1 - option but default checked -> 'checked' ; 2 - force -> 'checked disabled' ?>
1): ?>checked - disabled + 0): ?>checked + disabled >
1): ?>checked - disabled + 0): ?>checked + disabled >
request->isSecure() || config('security.ssl_login') > 1): ?>checked - request->isSecure() || config('security.ssl_login') != 1): ?>disabled + request->isSecure() || config('security.ssl_login') > 0): ?>checked + request->isSecure() || in_array(config('security.ssl_login'), [-1, 2])): ?>disabled >