Security: Add magic button name End all sessions

It's FUCKING USEFUL bc uknow ur pc or phone can be stolen

xd
This commit is contained in:
veselcraft 2022-09-03 23:11:08 +03:00
parent 863fb232e0
commit 83be7eed10
No known key found for this signature in database
GPG key ID: AED66BC1AC628A4E
6 changed files with 61 additions and 1 deletions

View file

@ -322,4 +322,22 @@ final class AuthPresenter extends OpenVKPresenter
$this->redirect("/"); $this->redirect("/");
} }
/*
* This function will revoke all tokens, including API and Web tokens and except active one
*
* OF COURSE it requires CSRF
*/
function renderRevokeAllTokens(): void
{
$this->assertUserLoggedIn();
$this->willExecuteWriteAction();
$this->assertNoCSRF();
// API tokens
$this->db->table("api_tokens")->where("user", $this->user->identity->getId())->delete();
// Web tokens
$this->db->table("ChandlerTokens")->where("user", $this->user->identity->getChandlerGUID())->where("token != ?", Session::i()->get("tok"))->delete();
$this->flashFail("succ", tr("information_-1"), tr("end_all_sessions_done"));
}
} }

View file

@ -454,7 +454,7 @@ final class UserPresenter extends OpenVKPresenter
$this->flash("succ", tr("changes_saved"), tr("changes_saved_comment")); $this->flash("succ", tr("changes_saved"), tr("changes_saved_comment"));
} }
$this->template->mode = in_array($this->queryParam("act"), [ $this->template->mode = in_array($this->queryParam("act"), [
"main", "privacy", "finance", "finance.top-up", "interface" "main", "security", "privacy", "finance", "finance.top-up", "interface"
]) ? $this->queryParam("act") ]) ? $this->queryParam("act")
: "main"; : "main";

View file

@ -8,6 +8,7 @@
{block content} {block content}
{var $isMain = $mode === 'main'} {var $isMain = $mode === 'main'}
{var $isSecurity = $mode === 'security'}
{var $isPrivacy = $mode === 'privacy'} {var $isPrivacy = $mode === 'privacy'}
{var $isFinance = $mode === 'finance'} {var $isFinance = $mode === 'finance'}
{var $isFinanceTU = $mode === 'finance.top-up'} {var $isFinanceTU = $mode === 'finance.top-up'}
@ -17,6 +18,9 @@
<div n:attr="id => ($isMain ? 'activetabs' : 'ki')" class="tab"> <div n:attr="id => ($isMain ? 'activetabs' : 'ki')" class="tab">
<a n:attr="id => ($isMain ? 'act_tab_a' : 'ki')" href="/settings">{_main}</a> <a n:attr="id => ($isMain ? 'act_tab_a' : 'ki')" href="/settings">{_main}</a>
</div> </div>
<div n:attr="id => ($isSecurity ? 'activetabs' : 'ki')" class="tab">
<a n:attr="id => ($isSecurity ? 'act_tab_a' : 'ki')" href="/settings?act=security">{_security}</a>
</div>
<div n:attr="id => ($isPrivacy ? 'activetabs' : 'ki')" class="tab"> <div n:attr="id => ($isPrivacy ? 'activetabs' : 'ki')" class="tab">
<a n:attr="id => ($isPrivacy ? 'act_tab_a' : 'ki')" href="/settings?act=privacy">{_privacy}</a> <a n:attr="id => ($isPrivacy ? 'act_tab_a' : 'ki')" href="/settings?act=privacy">{_privacy}</a>
</div> </div>
@ -226,6 +230,28 @@
{_you_can_also} <a onClick="showProfileDeactivateDialog({$csrfToken})">{_delete_your_page}</a>. {_you_can_also} <a onClick="showProfileDeactivateDialog({$csrfToken})">{_delete_your_page}</a>.
</div> </div>
{elseif $isSecurity}
<h4>{_ui_settings_sessions}</h4>
<form action="/revokeAllTokens" method="POST">
<table cellspacing="7" cellpadding="0" width="60%" border="0" align="center">
<tbody>
<tr>
<td>
<div class="accent-box">
{tr("end_all_sessions_description", OPENVK_ROOT_CONF['openvk']['appearance']['name'])}
</div>
</td>
</tr>
<tr>
<td width="120" valign="top" style="text-align: center;">
<input type="hidden" name="hash" value="{$csrfToken}" />
<input type="submit" value="{_end_all_sessions}" class="button" />
</td>
</tr>
</tbody>
</table>
</form>
{elseif $isPrivacy} {elseif $isPrivacy}
<form action="/settings?act=privacy" method="POST" enctype="multipart/form-data"> <form action="/settings?act=privacy" method="POST" enctype="multipart/form-data">

View file

@ -65,6 +65,8 @@ routes:
handler: "Auth->verifyEmail" handler: "Auth->verifyEmail"
- url: "/setSID/{slug}" - url: "/setSID/{slug}"
handler: "Auth->su" handler: "Auth->su"
- url: "/revokeAllTokens"
handler: "Auth->revokeAllTokens"
- url: "/settings" - url: "/settings"
handler: "User->settings" handler: "User->settings"
- url: "/settings/2fa" - url: "/settings/2fa"

View file

@ -418,6 +418,7 @@
"avatar" = "Avatar"; "avatar" = "Avatar";
"privacy" = "Privacy"; "privacy" = "Privacy";
"interface" = "Interface"; "interface" = "Interface";
"security" = "Security";
"profile_picture" = "Profile picture"; "profile_picture" = "Profile picture";
@ -490,6 +491,7 @@
"ui_settings_view_of_posts_old" = "Old"; "ui_settings_view_of_posts_old" = "Old";
"ui_settings_view_of_posts_microblog" = "Microblog"; "ui_settings_view_of_posts_microblog" = "Microblog";
"ui_settings_main_page" = "Main page"; "ui_settings_main_page" = "Main page";
"ui_settings_sessions" = "Sessions";
"additional_links" = "Additional links"; "additional_links" = "Additional links";
"ad_poster" = "Ad poster"; "ad_poster" = "Ad poster";
@ -518,6 +520,11 @@
"share_with_friends" = "Share with friends"; "share_with_friends" = "Share with friends";
"end_all_sessions" = "End all sessions";
"end_all_sessions_description" = "If you wanna logout from $1 on all devices, click on button below";
"end_all_sessions_done" = "All sessions was ended, including mobile apps";
/* Two-factor authentication */ /* Two-factor authentication */
"two_factor_authentication" = "Two-factor authentication"; "two_factor_authentication" = "Two-factor authentication";

View file

@ -452,6 +452,7 @@
"avatar" = "Аватар"; "avatar" = "Аватар";
"privacy" = "Приватность"; "privacy" = "Приватность";
"interface" = "Внешний вид"; "interface" = "Внешний вид";
"security" = "Безопасность";
"profile_picture" = "Изображение страницы"; "profile_picture" = "Изображение страницы";
@ -526,6 +527,7 @@
"ui_settings_view_of_posts_old" = "Старый"; "ui_settings_view_of_posts_old" = "Старый";
"ui_settings_view_of_posts_microblog" = "Микроблог"; "ui_settings_view_of_posts_microblog" = "Микроблог";
"ui_settings_main_page" = "Главная страница"; "ui_settings_main_page" = "Главная страница";
"ui_settings_sessions" = "Сессии";
"additional_links" = "Дополнительные ссылки"; "additional_links" = "Дополнительные ссылки";
"ad_poster" = "Рекламный плакат"; "ad_poster" = "Рекламный плакат";
@ -554,6 +556,11 @@
"share_with_friends" = "Рассказать друзьям"; "share_with_friends" = "Рассказать друзьям";
"end_all_sessions" = "Сбросить все сессии";
"end_all_sessions_description" = "Если вы хотите выйти из $1 со всех устройств, нажмите на кнопку ниже";
"end_all_sessions_done" = "Все сессии сброшены, включая мобильные приложения";
/* Two-factor authentication */ /* Two-factor authentication */
"two_factor_authentication" = "Двухфакторная аутентификация"; "two_factor_authentication" = "Двухфакторная аутентификация";