Security: Add magic button name End all sessions

It's FUCKING USEFUL bc uknow ur pc or phone can be stolen xd
2024-11-13 10:39:24 +03:00 · 2022-09-03 23:11:08 +03:00 · 2022-09-03 23:11:08 +03:00 · 83be7eed10
commit 83be7eed10
parent 863fb232e0
6 changed files with 61 additions and 1 deletions
--- a/Web/Presenters/AuthPresenter.php
+++ b/Web/Presenters/AuthPresenter.php
@ -322,4 +322,22 @@ final class AuthPresenter extends OpenVKPresenter

        $this->redirect("/");
    }
+
+    /*
+     * This function will revoke all tokens, including API and Web tokens and except active one
+     * 
+     * OF COURSE it requires CSRF
+     */ 
+    function renderRevokeAllTokens(): void
+    {
+        $this->assertUserLoggedIn();
+        $this->willExecuteWriteAction();
+        $this->assertNoCSRF();
+
+        // API tokens
+        $this->db->table("api_tokens")->where("user", $this->user->identity->getId())->delete();
+        // Web tokens
+        $this->db->table("ChandlerTokens")->where("user", $this->user->identity->getChandlerGUID())->where("token != ?", Session::i()->get("tok"))->delete();
+        $this->flashFail("succ", tr("information_-1"), tr("end_all_sessions_done"));
+    }
 } 
--- a/Web/Presenters/UserPresenter.php
+++ b/Web/Presenters/UserPresenter.php
@ -454,7 +454,7 @@ final class UserPresenter extends OpenVKPresenter
 			$this->flash("succ", tr("changes_saved"), tr("changes_saved_comment"));
        }
        $this->template->mode = in_array($this->queryParam("act"), [
-            "main", "privacy", "finance", "finance.top-up", "interface"
+            "main", "security", "privacy", "finance", "finance.top-up", "interface"
        ]) ? $this->queryParam("act")
            : "main";

--- a/Web/Presenters/templates/User/Settings.xml
+++ b/Web/Presenters/templates/User/Settings.xml
@ -8,6 +8,7 @@
 {block content}

 {var $isMain       = $mode === 'main'}
+{var $isSecurity   = $mode === 'security'}
 {var $isPrivacy    = $mode === 'privacy'}
 {var $isFinance    = $mode === 'finance'}
 {var $isFinanceTU  = $mode === 'finance.top-up'}
@ -17,6 +18,9 @@
        <div n:attr="id => ($isMain ? 'activetabs' : 'ki')" class="tab">
            <a n:attr="id => ($isMain ? 'act_tab_a' : 'ki')" href="/settings">{_main}</a>
        </div>
+        <div n:attr="id => ($isSecurity ? 'activetabs' : 'ki')" class="tab">
+            <a n:attr="id => ($isSecurity ? 'act_tab_a' : 'ki')" href="/settings?act=security">{_security}</a>
+        </div>
        <div n:attr="id => ($isPrivacy ? 'activetabs' : 'ki')" class="tab">
            <a n:attr="id => ($isPrivacy ? 'act_tab_a' : 'ki')" href="/settings?act=privacy">{_privacy}</a>
        </div>
@ -226,6 +230,28 @@
            {_you_can_also} <a onClick="showProfileDeactivateDialog({$csrfToken})">{_delete_your_page}</a>.
        </div>

+        {elseif $isSecurity}
+        <h4>{_ui_settings_sessions}</h4>
+        <form action="/revokeAllTokens" method="POST">
+            <table cellspacing="7" cellpadding="0" width="60%" border="0" align="center">
+                <tbody>
+                    <tr>
+                        <td>
+                            <div class="accent-box">
+                                {tr("end_all_sessions_description", OPENVK_ROOT_CONF['openvk']['appearance']['name'])}
+                            </div>
+                        </td>
+                    </tr>
+                    <tr>
+                        <td width="120" valign="top" style="text-align: center;">
+                            <input type="hidden" name="hash" value="{$csrfToken}" />
+                            <input type="submit" value="{_end_all_sessions}" class="button" />
+                        </td>
+                    </tr>
+                </tbody>
+            </table>
+        </form>
+        
        {elseif $isPrivacy}

        <form action="/settings?act=privacy" method="POST" enctype="multipart/form-data">
--- a/Web/routes.yml
+++ b/Web/routes.yml
@ -65,6 +65,8 @@ routes:
      handler: "Auth->verifyEmail"
    - url: "/setSID/{slug}"
      handler: "Auth->su"
+    - url: "/revokeAllTokens"
+      handler: "Auth->revokeAllTokens"
    - url: "/settings"
      handler: "User->settings"
    - url: "/settings/2fa"
--- a/locales/en.strings
+++ b/locales/en.strings
@ -418,6 +418,7 @@
 "avatar" = "Avatar";
 "privacy" = "Privacy";
 "interface" = "Interface";
+"security" = "Security";

 "profile_picture" = "Profile picture";

@ -490,6 +491,7 @@
 "ui_settings_view_of_posts_old" = "Old";
 "ui_settings_view_of_posts_microblog" = "Microblog";
 "ui_settings_main_page" = "Main page";
+"ui_settings_sessions" = "Sessions";

 "additional_links" = "Additional links";
 "ad_poster" = "Ad poster";
@ -518,6 +520,11 @@

 "share_with_friends" = "Share with friends";

+"end_all_sessions" = "End all sessions";
+"end_all_sessions_description" = "If you wanna logout from $1 on all devices, click on button below";
+
+"end_all_sessions_done" = "All sessions was ended, including mobile apps";
+
 /* Two-factor authentication */

 "two_factor_authentication" = "Two-factor authentication";
--- a/locales/ru.strings
+++ b/locales/ru.strings
@ -452,6 +452,7 @@
 "avatar" = "Аватар";
 "privacy" = "Приватность";
 "interface" = "Внешний вид";
+"security" = "Безопасность";

 "profile_picture" = "Изображение страницы";

@ -526,6 +527,7 @@
 "ui_settings_view_of_posts_old" = "Старый";
 "ui_settings_view_of_posts_microblog" = "Микроблог";
 "ui_settings_main_page" = "Главная страница";
+"ui_settings_sessions" = "Сессии";

 "additional_links" = "Дополнительные ссылки";
 "ad_poster" = "Рекламный плакат";
@ -554,6 +556,11 @@

 "share_with_friends" = "Рассказать друзьям";

+"end_all_sessions" = "Сбросить все сессии";
+"end_all_sessions_description" = "Если вы хотите выйти из $1 со всех устройств, нажмите на кнопку ниже";
+
+"end_all_sessions_done" = "Все сессии сброшены, включая мобильные приложения";
+
 /* Two-factor authentication */

 "two_factor_authentication" = "Двухфакторная аутентификация";