sessions: ignore self-emitted update events
Signed-off-by: chandi Langecker <git@chandi.it>
This commit is contained in:
chandi Langecker
@@ -56,7 +56,7 @@ class SessionMapper extends QBMapper {
|
||||
|
||||
public function findAllActive($boardId) {
|
||||
$qb = $this->db->getQueryBuilder();
|
||||
$qb->select('id', 'board_id', 'last_contact', 'user_id')
|
||||
$qb->select('id', 'board_id', 'last_contact', 'user_id', 'token')
|
||||
->from($this->getTableName())
|
||||
->where($qb->expr()->eq('board_id', $qb->createNamedParameter($boardId)))
|
||||
->andWhere($qb->expr()->gt('last_contact', $qb->createNamedParameter(time() - SessionService::SESSION_VALID_TIME)))
|
||||
|
||||
@@ -33,25 +33,30 @@ use OCA\Deck\Service\SessionService;
|
||||
use OCA\NotifyPush\Queue\IQueue;
|
||||
use OCP\EventDispatcher\Event;
|
||||
use OCP\EventDispatcher\IEventListener;
|
||||
use OCP\IRequest;
|
||||
use Psr\Container\ContainerInterface;
|
||||
use Psr\Log\LoggerInterface;
|
||||
|
||||
class LiveUpdateListener implements IEventListener {
|
||||
private string $userId;
|
||||
private LoggerInterface $logger;
|
||||
private SessionService $sessionService;
|
||||
private IRequest $request;
|
||||
private $queue;
|
||||
|
||||
public function __construct(ContainerInterface $container, SessionService $sessionService, $userId) {
|
||||
public function __construct(
|
||||
ContainerInterface $container,
|
||||
IRequest $request,
|
||||
SessionService $sessionService
|
||||
) {
|
||||
try {
|
||||
$this->queue = $container->get(IQueue::class);
|
||||
} catch (\Exception $e) {
|
||||
// most likely notify_push is not installed.
|
||||
return;
|
||||
}
|
||||
$this->userId = $userId;
|
||||
$this->logger = $container->get(LoggerInterface::class);
|
||||
$this->sessionService = $sessionService;
|
||||
$this->request = $request;
|
||||
}
|
||||
|
||||
public function handle(Event $event): void {
|
||||
@@ -61,10 +66,17 @@ class LiveUpdateListener implements IEventListener {
|
||||
}
|
||||
|
||||
try {
|
||||
if ($event instanceof SessionCreatedEvent || $event instanceof SessionClosedEvent) {
|
||||
$this->sessionService->notifyAllSessions($this->queue, $event->getBoardId(), NotifyPushEvents::DeckBoardUpdate, $event->getUserId(), [
|
||||
// the web frontend is adding the Session-ID as a header on every request
|
||||
// TODO: verify the token! this currently allows to spoof a token from someone
|
||||
// else, preventing this person from getting any live updates
|
||||
$causingSessionToken = $this->request->getHeader('x-nc-deck-session');
|
||||
if (
|
||||
$event instanceof SessionCreatedEvent ||
|
||||
$event instanceof SessionClosedEvent
|
||||
) {
|
||||
$this->sessionService->notifyAllSessions($this->queue, $event->getBoardId(), NotifyPushEvents::DeckBoardUpdate, [
|
||||
'id' => $event->getBoardId()
|
||||
]);
|
||||
], $causingSessionToken);
|
||||
}
|
||||
} catch (\Exception $e) {
|
||||
$this->logger->error('Error when handling live update event', ['exception' => $e]);
|
||||
|
||||
@@ -57,11 +57,11 @@ class SessionService {
|
||||
$this->eventDispatcher = $eventDispatcher;
|
||||
}
|
||||
|
||||
public function initSession($boardId): Session {
|
||||
public function initSession(int $boardId): Session {
|
||||
$session = new Session();
|
||||
$session->setBoardId($boardId);
|
||||
$session->setUserId($this->userId);
|
||||
$session->setToken($this->secureRandom->generate(64));
|
||||
$session->setToken($this->secureRandom->generate(32));
|
||||
$session->setLastContact($this->timeFactory->getTime());
|
||||
|
||||
$session = $this->sessionMapper->insert($session);
|
||||
@@ -91,12 +91,34 @@ class SessionService {
|
||||
return $this->sessionMapper->deleteInactive();
|
||||
}
|
||||
|
||||
public function notifyAllSessions(IQueue $queue, int $boardId, $event, $excludeUserId, $body) {
|
||||
public function notifyAllSessions(IQueue $queue, int $boardId, $event, $body, $causingSessionToken = null) {
|
||||
$activeSessions = $this->sessionMapper->findAllActive($boardId);
|
||||
|
||||
$userIds = [];
|
||||
foreach ($activeSessions as $session) {
|
||||
if ($causingSessionToken && $session->getToken() === $causingSessionToken) {
|
||||
// Limitation:
|
||||
// If the same user has a second session active, the session $causingSessionToken
|
||||
// still gets notified due to the current fact, that notify_push only supports
|
||||
// to specify users, not individual sessions
|
||||
// https://github.com/nextcloud/notify_push/issues/195
|
||||
continue;
|
||||
}
|
||||
|
||||
// don't notify the same user multiple times
|
||||
if (!in_array($session->getUserId(), $userIds)) {
|
||||
$userIds[] = $session->getUserId();
|
||||
}
|
||||
}
|
||||
|
||||
if ($causingSessionToken) {
|
||||
// we only send a slice of the session token to everyone
|
||||
// since knowledge of the full token allows everyone
|
||||
// to close the session maliciously
|
||||
$body['_causingSessionToken'] = substr($causingSessionToken, 0, 12);
|
||||
}
|
||||
foreach ($userIds as $userId) {
|
||||
$queue->push('notify_custom', [
|
||||
'user' => $session->getUserId(),
|
||||
'user' => $userId,
|
||||
'message' => $event,
|
||||
'body' => $body
|
||||
]);
|
||||
|
||||
Reference in New Issue
Block a user