fix: Close session if right token is given

This will reduce orphaned session from basex queries or monitoring
geokrety · Sep 10, 2023 · df7a7fa · df7a7fa
1 parent f03ac0a
commit df7a7fa
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 0 deletions.
diff --git a/website/app/GeoKrety/Controller/Pages/LegacyRoutes.php b/website/app/GeoKrety/Controller/Pages/LegacyRoutes.php
@@ -116,6 +116,9 @@ public function export2(\Base $f3) {
         if ($f3->exists('GET.rate_limits_bypass')) {
             $others['rate_limits_bypass'] = $f3->get('GET.rate_limits_bypass');
         }
+        if ($f3->exists('GET.GET.short_lived_session_token')) {
+            $others['GET.short_lived_session_token'] = $f3->get('GET.GET.short_lived_session_token');
+        }
         $url_params = $this->_export_query_params($f3, $others);
         $f3->reroute(sprintf('@api_v1_export2?%s', $url_params), $permanent = false, $die = true);
     }

diff --git a/website/app/GeoKrety/Service/Config.php b/website/app/GeoKrety/Service/Config.php
@@ -11,6 +11,7 @@ public function __construct() {
         define('GK_SITE_ADMINISTRATORS', explode(',', getenv('GK_SITE_ADMINISTRATORS') ?: '26422'));
         define('GK_SITE_SESSION_REMEMBER', getenv('GK_SITE_SESSION_REMEMBER') ?: 60 * 60 * 24); // 24 hours
         define('GK_SITE_SESSION_LIFETIME_REMEMBER', getenv('GK_SITE_SESSION_LIFETIME_REMEMBER') ?: 60 * 60 * 24 * 30); // 30 days
+        define('GK_SITE_SESSION_SHORT_LIVED_TOKEN', getenv('GK_SITE_SESSION_SHORT_LIVED_TOKEN') ?: substr(str_shuffle(md5(microtime())), 0, 10));
         define('GK_SITE_ACCOUNT_ACTIVATION_CODE_LENGTH', getenv('GK_SITE_ACCOUNT_ACTIVATION_CODE_LENGTH') ?: 42);
         define('GK_SITE_ACCOUNT_ACTIVATION_CODE_DAYS_VALIDITY', getenv('GK_SITE_ACCOUNT_ACTIVATION_CODE_DAYS_VALIDITY') ?: 15);
         define('GK_SITE_EMAIL_ACTIVATION_CODE_LENGTH', getenv('GK_SITE_EMAIL_ACTIVATION_CODE_LENGTH') ?: 42);

diff --git a/website/app/GeoKrety/Session.php b/website/app/GeoKrety/Session.php
@@ -45,4 +45,13 @@ public static function closeAllSessionsForUser(User $user) {
         $f3 = \Base::instance();
         $f3->get('DB')->exec('DELETE FROM sessions WHERE "user" = ?', [$user->id]);
     }
+
+    public static function closeCurrentSession() {
+        $sessid = session_id();
+        if ($sessid === false) {
+            return;
+        }
+        $f3 = \Base::instance();
+        $f3->get('DB')->exec('DELETE FROM sessions WHERE "session_id" = ?', [$sessid]);
+    }
 }
diff --git a/website/app/shutdown.php b/website/app/shutdown.php
@@ -3,6 +3,7 @@
 register_shutdown_function('shutdown_force_send_response_to_client', $f3);
 register_shutdown_function('shutdown_prometheus_metrics', $f3);
 register_shutdown_function('shutdown_audit_post', $f3);
+register_shutdown_function('shutdown_short_lived_sessions', $f3);
 
 // Piwik
 if (GK_PIWIK_ENABLED) {
@@ -15,6 +16,13 @@ function shutdown_force_send_response_to_client(Base $f3) {
     }
 }
 
+function shutdown_short_lived_sessions(Base $f3) {
+    $token = $f3->get('GET.short_lived_session_token');
+    if ($token === GK_SITE_SESSION_SHORT_LIVED_TOKEN) {
+        \GeoKrety\Session::closeCurrentSession();
+    }
+}
+
 function shutdown_piwik(Base $f3) {
     if (!\GeoKrety\Service\UserSettings::getForCurrentUser('TRACKING_OPT_OUT')) {
         try {