[server] Use correct app while updating ott table

This commit is contained in:
Neeraj Gupta 2024-04-09 11:14:44 +05:30
parent 6bf22fa864
commit 73eacfb30d
4 changed files with 23 additions and 18 deletions

View file

@ -1,11 +1,9 @@
-- Add unique index on otts for email_hash,app,ott
BEGIN;
ALTER TABLE
otts DROP CONSTRAINT unique_otts_emailhash_ott;
otts DROP CONSTRAINT IF EXISTS unique_otts_emailhash_app_ott;
ALTER TABLE
otts
ADD
CONSTRAINT unique_otts_emailhash_app_ott UNIQUE (ott,app, email_hash);
COMMIT;
CONSTRAINT unique_otts_emailhash_ott UNIQUE (ott, email_hash);
COMMIT;

View file

@ -1,2 +1,9 @@
DROP TRIGGER IF EXISTS update_location_tag_updated_at ON location_tag;
DROP TABLE location_tag;
BEGIN;
ALTER TABLE
otts DROP CONSTRAINT IF EXISTS unique_otts_emailhash_ott;
ALTER TABLE
otts
ADD
CONSTRAINT unique_otts_emailhash_app_ott UNIQUE (ott,app, email_hash);
COMMIT;

View file

@ -140,7 +140,7 @@ func (c *UserController) verifyEmailOtt(context *gin.Context, email string, ott
if err != nil {
return stacktrace.Propagate(err, "")
}
wrongAttempt, err := c.UserAuthRepo.GetMaxWrongAttempts(emailHash)
wrongAttempt, err := c.UserAuthRepo.GetMaxWrongAttempts(emailHash, auth.GetApp(context))
if err != nil {
return stacktrace.Propagate(err, "")
}
@ -166,12 +166,12 @@ func (c *UserController) verifyEmailOtt(context *gin.Context, email string, ott
}
}
if !isValidOTT {
if err = c.UserAuthRepo.RecordWrongAttemptForActiveOtt(emailHash); err != nil {
if err = c.UserAuthRepo.RecordWrongAttemptForActiveOtt(emailHash, auth.GetApp(context)); err != nil {
log.WithError(err).Warn("Failed to track wrong attempt")
}
return stacktrace.Propagate(ente.ErrIncorrectOTT, "")
}
err = c.UserAuthRepo.RemoveOTT(emailHash, ott)
err = c.UserAuthRepo.RemoveOTT(emailHash, ott, auth.GetApp(context))
if err != nil {
return stacktrace.Propagate(err, "")
}

View file

@ -20,14 +20,14 @@ type UserAuthRepository struct {
func (repo *UserAuthRepository) AddOTT(emailHash string, app ente.App, ott string, expirationTime int64) error {
_, err := repo.DB.Exec(`INSERT INTO otts(email_hash, ott, creation_time, expiration_time, app)
VALUES($1, $2, $3, $4, $5)
ON CONFLICT ON CONSTRAINT unique_otts_emailhash_ott DO UPDATE SET creation_time = $3, expiration_time = $4`,
ON CONFLICT ON CONSTRAINT unique_otts_emailhash_app_ott DO UPDATE SET creation_time = $3, expiration_time = $4`,
emailHash, ott, time.Microseconds(), expirationTime, app)
return stacktrace.Propagate(err, "")
}
// RemoveOTT removes the specified OTT (to be used when an OTT has been consumed)
func (repo *UserAuthRepository) RemoveOTT(emailHash string, ott string) error {
_, err := repo.DB.Exec(`DELETE FROM otts WHERE email_hash = $1 AND ott = $2`, emailHash, ott)
func (repo *UserAuthRepository) RemoveOTT(emailHash string, ott string, app ente.App) error {
_, err := repo.DB.Exec(`DELETE FROM otts WHERE email_hash = $1 AND ott = $2 AND app = $3`, emailHash, ott, app)
return stacktrace.Propagate(err, "")
}
@ -69,9 +69,9 @@ func (repo *UserAuthRepository) GetValidOTTs(emailHash string, app ente.App) ([]
return otts, nil
}
func (repo *UserAuthRepository) GetMaxWrongAttempts(emailHash string) (int, error) {
row := repo.DB.QueryRow(`SELECT COALESCE(MAX(wrong_attempt),0) FROM otts WHERE email_hash = $1 AND expiration_time > $2`,
emailHash, time.Microseconds())
func (repo *UserAuthRepository) GetMaxWrongAttempts(emailHash string, app ente.App) (int, error) {
row := repo.DB.QueryRow(`SELECT COALESCE(MAX(wrong_attempt),0) FROM otts WHERE email_hash = $1 AND expiration_time > $2 AND app = $3`,
emailHash, time.Microseconds(), app)
var wrongAttempt int
if err := row.Scan(&wrongAttempt); err != nil {
return 0, stacktrace.Propagate(err, "Failed to scan row")
@ -81,9 +81,9 @@ func (repo *UserAuthRepository) GetMaxWrongAttempts(emailHash string) (int, erro
// RecordWrongAttemptForActiveOtt increases the wrong_attempt count for given emailHash and active ott.
// Assuming tha we keep deleting expired OTT, max(wrong_attempt) can be used to track brute-force attack
func (repo *UserAuthRepository) RecordWrongAttemptForActiveOtt(emailHash string) error {
func (repo *UserAuthRepository) RecordWrongAttemptForActiveOtt(emailHash string, app ente.App) error {
_, err := repo.DB.Exec(`UPDATE otts SET wrong_attempt = otts.wrong_attempt + 1
WHERE email_hash = $1 AND expiration_time > $2`, emailHash, time.Microseconds())
WHERE email_hash = $1 AND expiration_time > $2 AND app=$3`, emailHash, time.Microseconds(), app)
if err != nil {
return stacktrace.Propagate(err, "Failed to update wrong attempt count")
}