Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Separated storage of session token hash into separate user session co…

…llection, which allows us to log-in multiple times (different computers). Also added expires to session
  • Loading branch information...
commit f0768a1b5429934d40f96c09b00788ddd4c6cc99 1 parent f19e0e0
@matb33 authored
View
2  rpc-endpoints.js
@@ -163,7 +163,7 @@ Meteor.methods({
var result;
if (!this.is_simulation) {
- result = Auth.clearUserBySessionToken(sessionToken);
+ result = Auth.clearUserSessions(sessionToken);
if (!result) {
throw new Meteor.Error(412, "Unable to logout: session token not matching a user.");
View
55 server/authentication/make-authentication-manager.js → server/authentication/authentication.js
@@ -5,25 +5,47 @@ var Auth = makeAuthenticationManager("unique_server_key_of_your_choosing_abc123"
userCollection: Users,
usernameField: "login",
passwordHashField: "password_hash",
- sessionTokenHashField: "session_token_hash"
+ sessionCollection: UserSessions
});
*/
+var UserSessions = new Meteor.Collection("authentication__user_sessions");
+
var makeAuthenticationManager = function (serverKey, options) {
var settings = _.extend({
userCollection: Users,
usernameField: "login",
passwordHashField: "password_hash",
- sessionTokenHashField: "session_token_hash"
+ sessionCollection: UserSessions,
+ sessionLongevitySeconds: 7 * 24 * 60 * 60
}, options);
- var getUserBySessionToken = function (sessionToken) {
- var user, query = {};
+ var AuthUsers = settings.userCollection;
+ var AuthUserSessions = settings.sessionCollection;
+
+ var getUserSessionBySessionToken = function (sessionToken) {
+ var session, hash;
if (isSessionTokenValid(sessionToken)) {
- query[settings.sessionTokenHashField] = getSessionTokenHash(sessionToken);
- user = settings.userCollection.findOne(query);
+ hash = getSessionTokenHash(sessionToken);
+ session = AuthUserSessions.findOne({"hash": hash});
+ if (session) {
+ if (Date.now() <= session.expires) {
+ return session;
+ } else {
+ AuthUserSessions.remove({_id: session._id});
+ }
+ }
+ }
+ };
+
+ var getUserBySessionToken = function (sessionToken) {
+ var user, session;
+
+ session = getUserSessionBySessionToken(sessionToken);
+ if (session) {
+ user = AuthUsers.findOne({_id: session.user_id});
if (user) {
return user;
}
@@ -86,14 +108,19 @@ var makeAuthenticationManager = function (serverKey, options) {
};
var getSessionTokenForUser = function (user) {
- var sessionToken, set = {};
+ var sessionToken, hash;
// Always generate signed token, since we have no way to retrieve
// it once it has been sent to the client upon login. We only store
// a hash of this token in the DB for security reasons.
sessionToken = generateSignedToken();
- set[settings.sessionTokenHashField] = getSessionTokenHash(sessionToken);
- settings.userCollection.update(user._id, {$set: set});
+ hash = getSessionTokenHash(sessionToken);
+
+ AuthUserSessions.insert({
+ user_id: user._id,
+ hash: hash,
+ expires: new Date(Date.now() + settings.sessionLongevitySeconds * 1000).getTime()
+ });
return sessionToken;
};
@@ -102,27 +129,25 @@ var makeAuthenticationManager = function (serverKey, options) {
var query = {}, user;
query[settings.usernameField] = username;
- user = settings.userCollection.findOne(query);
+ user = AuthUsers.findOne(query);
if (isUserPasswordCorrect(user, password)) {
return getSessionTokenForUser(user);
}
};
- var clearUserBySessionToken = function (sessionToken) {
+ var clearUserSessions = function (sessionToken) {
var user = getUserBySessionToken(sessionToken);
- var unset = {};
if (user) {
- unset[settings.sessionTokenHashField] = 1;
- settings.userCollection.update(user._id, {$unset: unset});
+ user = AuthUserSessions.remove({user_id: user._id});
return true;
}
};
return {
getSessionTokenForUsernamePassword: getSessionTokenForUsernamePassword,
- clearUserBySessionToken: clearUserBySessionToken,
+ clearUserSessions: clearUserSessions,
getUserBySessionToken: getUserBySessionToken,
generatePasswordHash: generatePasswordHash,
isUserPasswordCorrect: isUserPasswordCorrect
Please sign in to comment.
Something went wrong with that request. Please try again.