sessions: ignore self-emitted update events
Signed-off-by: chandi Langecker <git@chandi.it>
This commit is contained in:
chandi Langecker
@@ -56,7 +56,7 @@ class SessionMapper extends QBMapper {
|
|||||||
|
|
||||||
public function findAllActive($boardId) {
|
public function findAllActive($boardId) {
|
||||||
$qb = $this->db->getQueryBuilder();
|
$qb = $this->db->getQueryBuilder();
|
||||||
$qb->select('id', 'board_id', 'last_contact', 'user_id')
|
$qb->select('id', 'board_id', 'last_contact', 'user_id', 'token')
|
||||||
->from($this->getTableName())
|
->from($this->getTableName())
|
||||||
->where($qb->expr()->eq('board_id', $qb->createNamedParameter($boardId)))
|
->where($qb->expr()->eq('board_id', $qb->createNamedParameter($boardId)))
|
||||||
->andWhere($qb->expr()->gt('last_contact', $qb->createNamedParameter(time() - SessionService::SESSION_VALID_TIME)))
|
->andWhere($qb->expr()->gt('last_contact', $qb->createNamedParameter(time() - SessionService::SESSION_VALID_TIME)))
|
||||||
|
|||||||
@@ -33,25 +33,30 @@ use OCA\Deck\Service\SessionService;
|
|||||||
use OCA\NotifyPush\Queue\IQueue;
|
use OCA\NotifyPush\Queue\IQueue;
|
||||||
use OCP\EventDispatcher\Event;
|
use OCP\EventDispatcher\Event;
|
||||||
use OCP\EventDispatcher\IEventListener;
|
use OCP\EventDispatcher\IEventListener;
|
||||||
|
use OCP\IRequest;
|
||||||
use Psr\Container\ContainerInterface;
|
use Psr\Container\ContainerInterface;
|
||||||
use Psr\Log\LoggerInterface;
|
use Psr\Log\LoggerInterface;
|
||||||
|
|
||||||
class LiveUpdateListener implements IEventListener {
|
class LiveUpdateListener implements IEventListener {
|
||||||
private string $userId;
|
|
||||||
private LoggerInterface $logger;
|
private LoggerInterface $logger;
|
||||||
private SessionService $sessionService;
|
private SessionService $sessionService;
|
||||||
|
private IRequest $request;
|
||||||
private $queue;
|
private $queue;
|
||||||
|
|
||||||
public function __construct(ContainerInterface $container, SessionService $sessionService, $userId) {
|
public function __construct(
|
||||||
|
ContainerInterface $container,
|
||||||
|
IRequest $request,
|
||||||
|
SessionService $sessionService
|
||||||
|
) {
|
||||||
try {
|
try {
|
||||||
$this->queue = $container->get(IQueue::class);
|
$this->queue = $container->get(IQueue::class);
|
||||||
} catch (\Exception $e) {
|
} catch (\Exception $e) {
|
||||||
// most likely notify_push is not installed.
|
// most likely notify_push is not installed.
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
$this->userId = $userId;
|
|
||||||
$this->logger = $container->get(LoggerInterface::class);
|
$this->logger = $container->get(LoggerInterface::class);
|
||||||
$this->sessionService = $sessionService;
|
$this->sessionService = $sessionService;
|
||||||
|
$this->request = $request;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function handle(Event $event): void {
|
public function handle(Event $event): void {
|
||||||
@@ -61,10 +66,17 @@ class LiveUpdateListener implements IEventListener {
|
|||||||
}
|
}
|
||||||
|
|
||||||
try {
|
try {
|
||||||
if ($event instanceof SessionCreatedEvent || $event instanceof SessionClosedEvent) {
|
// the web frontend is adding the Session-ID as a header on every request
|
||||||
$this->sessionService->notifyAllSessions($this->queue, $event->getBoardId(), NotifyPushEvents::DeckBoardUpdate, $event->getUserId(), [
|
// TODO: verify the token! this currently allows to spoof a token from someone
|
||||||
|
// else, preventing this person from getting any live updates
|
||||||
|
$causingSessionToken = $this->request->getHeader('x-nc-deck-session');
|
||||||
|
if (
|
||||||
|
$event instanceof SessionCreatedEvent ||
|
||||||
|
$event instanceof SessionClosedEvent
|
||||||
|
) {
|
||||||
|
$this->sessionService->notifyAllSessions($this->queue, $event->getBoardId(), NotifyPushEvents::DeckBoardUpdate, [
|
||||||
'id' => $event->getBoardId()
|
'id' => $event->getBoardId()
|
||||||
]);
|
], $causingSessionToken);
|
||||||
}
|
}
|
||||||
} catch (\Exception $e) {
|
} catch (\Exception $e) {
|
||||||
$this->logger->error('Error when handling live update event', ['exception' => $e]);
|
$this->logger->error('Error when handling live update event', ['exception' => $e]);
|
||||||
|
|||||||
@@ -57,11 +57,11 @@ class SessionService {
|
|||||||
$this->eventDispatcher = $eventDispatcher;
|
$this->eventDispatcher = $eventDispatcher;
|
||||||
}
|
}
|
||||||
|
|
||||||
public function initSession($boardId): Session {
|
public function initSession(int $boardId): Session {
|
||||||
$session = new Session();
|
$session = new Session();
|
||||||
$session->setBoardId($boardId);
|
$session->setBoardId($boardId);
|
||||||
$session->setUserId($this->userId);
|
$session->setUserId($this->userId);
|
||||||
$session->setToken($this->secureRandom->generate(64));
|
$session->setToken($this->secureRandom->generate(32));
|
||||||
$session->setLastContact($this->timeFactory->getTime());
|
$session->setLastContact($this->timeFactory->getTime());
|
||||||
|
|
||||||
$session = $this->sessionMapper->insert($session);
|
$session = $this->sessionMapper->insert($session);
|
||||||
@@ -91,12 +91,34 @@ class SessionService {
|
|||||||
return $this->sessionMapper->deleteInactive();
|
return $this->sessionMapper->deleteInactive();
|
||||||
}
|
}
|
||||||
|
|
||||||
public function notifyAllSessions(IQueue $queue, int $boardId, $event, $excludeUserId, $body) {
|
public function notifyAllSessions(IQueue $queue, int $boardId, $event, $body, $causingSessionToken = null) {
|
||||||
$activeSessions = $this->sessionMapper->findAllActive($boardId);
|
$activeSessions = $this->sessionMapper->findAllActive($boardId);
|
||||||
|
$userIds = [];
|
||||||
foreach ($activeSessions as $session) {
|
foreach ($activeSessions as $session) {
|
||||||
|
if ($causingSessionToken && $session->getToken() === $causingSessionToken) {
|
||||||
|
// Limitation:
|
||||||
|
// If the same user has a second session active, the session $causingSessionToken
|
||||||
|
// still gets notified due to the current fact, that notify_push only supports
|
||||||
|
// to specify users, not individual sessions
|
||||||
|
// https://github.com/nextcloud/notify_push/issues/195
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
// don't notify the same user multiple times
|
||||||
|
if (!in_array($session->getUserId(), $userIds)) {
|
||||||
|
$userIds[] = $session->getUserId();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($causingSessionToken) {
|
||||||
|
// we only send a slice of the session token to everyone
|
||||||
|
// since knowledge of the full token allows everyone
|
||||||
|
// to close the session maliciously
|
||||||
|
$body['_causingSessionToken'] = substr($causingSessionToken, 0, 12);
|
||||||
|
}
|
||||||
|
foreach ($userIds as $userId) {
|
||||||
$queue->push('notify_custom', [
|
$queue->push('notify_custom', [
|
||||||
'user' => $session->getUserId(),
|
'user' => $userId,
|
||||||
'message' => $event,
|
'message' => $event,
|
||||||
'body' => $body
|
'body' => $body
|
||||||
]);
|
]);
|
||||||
|
|||||||
@@ -21,13 +21,36 @@
|
|||||||
import { listen } from '@nextcloud/notify_push'
|
import { listen } from '@nextcloud/notify_push'
|
||||||
import { sessionApi } from './services/SessionApi.js'
|
import { sessionApi } from './services/SessionApi.js'
|
||||||
import store from './store/main.js'
|
import store from './store/main.js'
|
||||||
|
import axios from '@nextcloud/axios'
|
||||||
|
|
||||||
const SESSION_INTERVAL = 90 // in seconds
|
const SESSION_INTERVAL = 90 // in seconds
|
||||||
|
|
||||||
let hasPush = false
|
let hasPush = false
|
||||||
|
|
||||||
|
/**
|
||||||
|
* used to verify, whether an event is originated by ourselves
|
||||||
|
*
|
||||||
|
* @param token
|
||||||
|
*/
|
||||||
|
function isOurSessionToken(token) {
|
||||||
|
if (axios.defaults.headers['x-nc-deck-session']
|
||||||
|
&& axios.defaults.headers['x-nc-deck-session'].startsWith(token)) {
|
||||||
|
return true
|
||||||
|
} else {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
hasPush = listen('deck_board_update', (name, body) => {
|
hasPush = listen('deck_board_update', (name, body) => {
|
||||||
triggerDeckReload(body.id)
|
// ignore update events which we have triggered ourselves
|
||||||
|
if (isOurSessionToken(body._causingSessionToken)) return
|
||||||
|
|
||||||
|
// only handle update events for the currently open board
|
||||||
|
const currentBoardId = store.state.currentBoard?.id
|
||||||
|
if (body.id !== currentBoardId) return
|
||||||
|
|
||||||
|
store.dispatch('refreshBoard', currentBoardId)
|
||||||
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -38,21 +61,6 @@ export function isNotifyPushEnabled() {
|
|||||||
return hasPush
|
return hasPush
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Triggers a reload of the deck, if the provided id
|
|
||||||
* matches the current open deck
|
|
||||||
*
|
|
||||||
* @param triggeredBoardId
|
|
||||||
*/
|
|
||||||
export function triggerDeckReload(triggeredBoardId) {
|
|
||||||
const currentBoardId = store.state.currentBoard?.id
|
|
||||||
|
|
||||||
// only handle update events for the currently open board
|
|
||||||
if (triggeredBoardId !== currentBoardId) return
|
|
||||||
|
|
||||||
store.dispatch('refreshBoard', currentBoardId)
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
* @param boardId
|
* @param boardId
|
||||||
@@ -74,6 +82,7 @@ export function createSession(boardId) {
|
|||||||
tokenPromise = sessionApi.createSession(boardId).then(res => res.token)
|
tokenPromise = sessionApi.createSession(boardId).then(res => res.token)
|
||||||
tokenPromise.then((t) => {
|
tokenPromise.then((t) => {
|
||||||
token = t
|
token = t
|
||||||
|
axios.defaults.headers['x-nc-deck-session'] = t
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
create()
|
create()
|
||||||
@@ -95,12 +104,13 @@ export function createSession(boardId) {
|
|||||||
// periodically notify the server that we are still here
|
// periodically notify the server that we are still here
|
||||||
let interval = setInterval(ensureSession, SESSION_INTERVAL * 1000)
|
let interval = setInterval(ensureSession, SESSION_INTERVAL * 1000)
|
||||||
|
|
||||||
// close session when
|
// close session when tab gets hidden/inactive
|
||||||
const visibilitychangeListener = () => {
|
const visibilitychangeListener = () => {
|
||||||
if (document.visibilityState === 'hidden') {
|
if (document.visibilityState === 'hidden') {
|
||||||
sessionApi.closeSessionViaBeacon(boardId, token)
|
sessionApi.closeSessionViaBeacon(boardId, token)
|
||||||
tokenPromise = null
|
tokenPromise = null
|
||||||
token = null
|
token = null
|
||||||
|
delete axios.defaults.headers['x-nc-deck-session']
|
||||||
|
|
||||||
// stop session refresh interval
|
// stop session refresh interval
|
||||||
clearInterval(interval)
|
clearInterval(interval)
|
||||||
@@ -110,7 +120,7 @@ export function createSession(boardId) {
|
|||||||
|
|
||||||
// we must assume that the websocket connection was
|
// we must assume that the websocket connection was
|
||||||
// paused and we have missed updates in the meantime.
|
// paused and we have missed updates in the meantime.
|
||||||
triggerDeckReload()
|
store.dispatch('refreshBoard', store.state.currentBoard?.id)
|
||||||
|
|
||||||
// restart session refresh interval
|
// restart session refresh interval
|
||||||
interval = setInterval(ensureSession, SESSION_INTERVAL * 1000)
|
interval = setInterval(ensureSession, SESSION_INTERVAL * 1000)
|
||||||
|
|||||||
Reference in New Issue
Block a user