From 83be7eed1096ace1b85e924d46d6921ac57be044 Mon Sep 17 00:00:00 2001 From: veselcraft Date: Sat, 3 Sep 2022 23:11:08 +0300 Subject: [PATCH] Security: Add magic button name End all sessions It's FUCKING USEFUL bc uknow ur pc or phone can be stolen xd --- Web/Presenters/AuthPresenter.php | 18 +++++++++++++++ Web/Presenters/UserPresenter.php | 2 +- Web/Presenters/templates/User/Settings.xml | 26 ++++++++++++++++++++++ Web/routes.yml | 2 ++ locales/en.strings | 7 ++++++ locales/ru.strings | 7 ++++++ 6 files changed, 61 insertions(+), 1 deletion(-) diff --git a/Web/Presenters/AuthPresenter.php b/Web/Presenters/AuthPresenter.php index ac5a30c2..3fe6e66c 100644 --- a/Web/Presenters/AuthPresenter.php +++ b/Web/Presenters/AuthPresenter.php @@ -322,4 +322,22 @@ final class AuthPresenter extends OpenVKPresenter $this->redirect("/"); } + + /* + * This function will revoke all tokens, including API and Web tokens and except active one + * + * OF COURSE it requires CSRF + */ + function renderRevokeAllTokens(): void + { + $this->assertUserLoggedIn(); + $this->willExecuteWriteAction(); + $this->assertNoCSRF(); + + // API tokens + $this->db->table("api_tokens")->where("user", $this->user->identity->getId())->delete(); + // Web tokens + $this->db->table("ChandlerTokens")->where("user", $this->user->identity->getChandlerGUID())->where("token != ?", Session::i()->get("tok"))->delete(); + $this->flashFail("succ", tr("information_-1"), tr("end_all_sessions_done")); + } } diff --git a/Web/Presenters/UserPresenter.php b/Web/Presenters/UserPresenter.php index 6871b90e..3832607f 100644 --- a/Web/Presenters/UserPresenter.php +++ b/Web/Presenters/UserPresenter.php @@ -454,7 +454,7 @@ final class UserPresenter extends OpenVKPresenter $this->flash("succ", tr("changes_saved"), tr("changes_saved_comment")); } $this->template->mode = in_array($this->queryParam("act"), [ - "main", "privacy", "finance", "finance.top-up", "interface" + "main", "security", "privacy", "finance", "finance.top-up", "interface" ]) ? $this->queryParam("act") : "main"; diff --git a/Web/Presenters/templates/User/Settings.xml b/Web/Presenters/templates/User/Settings.xml index f5125d8c..f5ed8d7e 100644 --- a/Web/Presenters/templates/User/Settings.xml +++ b/Web/Presenters/templates/User/Settings.xml @@ -8,6 +8,7 @@ {block content} {var $isMain = $mode === 'main'} +{var $isSecurity = $mode === 'security'} {var $isPrivacy = $mode === 'privacy'} {var $isFinance = $mode === 'finance'} {var $isFinanceTU = $mode === 'finance.top-up'} @@ -17,6 +18,9 @@
{_main}
+
+ {_security} +
{_privacy}
@@ -226,6 +230,28 @@ {_you_can_also} {_delete_your_page}. + {elseif $isSecurity} +

{_ui_settings_sessions}

+
+ + + + + + + + + +
+
+ {tr("end_all_sessions_description", OPENVK_ROOT_CONF['openvk']['appearance']['name'])} +
+
+ + +
+
+ {elseif $isPrivacy}
diff --git a/Web/routes.yml b/Web/routes.yml index 2b346610..99c918c2 100644 --- a/Web/routes.yml +++ b/Web/routes.yml @@ -65,6 +65,8 @@ routes: handler: "Auth->verifyEmail" - url: "/setSID/{slug}" handler: "Auth->su" + - url: "/revokeAllTokens" + handler: "Auth->revokeAllTokens" - url: "/settings" handler: "User->settings" - url: "/settings/2fa" diff --git a/locales/en.strings b/locales/en.strings index a0825392..88fa02a7 100644 --- a/locales/en.strings +++ b/locales/en.strings @@ -418,6 +418,7 @@ "avatar" = "Avatar"; "privacy" = "Privacy"; "interface" = "Interface"; +"security" = "Security"; "profile_picture" = "Profile picture"; @@ -490,6 +491,7 @@ "ui_settings_view_of_posts_old" = "Old"; "ui_settings_view_of_posts_microblog" = "Microblog"; "ui_settings_main_page" = "Main page"; +"ui_settings_sessions" = "Sessions"; "additional_links" = "Additional links"; "ad_poster" = "Ad poster"; @@ -518,6 +520,11 @@ "share_with_friends" = "Share with friends"; +"end_all_sessions" = "End all sessions"; +"end_all_sessions_description" = "If you wanna logout from $1 on all devices, click on button below"; + +"end_all_sessions_done" = "All sessions was ended, including mobile apps"; + /* Two-factor authentication */ "two_factor_authentication" = "Two-factor authentication"; diff --git a/locales/ru.strings b/locales/ru.strings index 0e7b7806..a5500a0f 100644 --- a/locales/ru.strings +++ b/locales/ru.strings @@ -452,6 +452,7 @@ "avatar" = "Аватар"; "privacy" = "Приватность"; "interface" = "Внешний вид"; +"security" = "Безопасность"; "profile_picture" = "Изображение страницы"; @@ -526,6 +527,7 @@ "ui_settings_view_of_posts_old" = "Старый"; "ui_settings_view_of_posts_microblog" = "Микроблог"; "ui_settings_main_page" = "Главная страница"; +"ui_settings_sessions" = "Сессии"; "additional_links" = "Дополнительные ссылки"; "ad_poster" = "Рекламный плакат"; @@ -554,6 +556,11 @@ "share_with_friends" = "Рассказать друзьям"; +"end_all_sessions" = "Сбросить все сессии"; +"end_all_sessions_description" = "Если вы хотите выйти из $1 со всех устройств, нажмите на кнопку ниже"; + +"end_all_sessions_done" = "Все сессии сброшены, включая мобильные приложения"; + /* Two-factor authentication */ "two_factor_authentication" = "Двухфакторная аутентификация";