Merge pull request #4550 from tomhughes/drop-user-tokens

Drop user tokens table

app/controllers/api_controller.rb

@@ -112,8 +112,6 @@ def setup_user_auth
       # authenticate per-scheme
       self.current_user = if username.nil?
                             nil # no authentication provided - perhaps first connect (client should retry after 401)
-                          elsif username == "token"
-                            User.authenticate(:token => passwd) # preferred - random token for user from db, passed in basic auth
                           else
                             User.authenticate(:username => username, :password => passwd) # basic auth
                           end

app/controllers/application_controller.rb

@@ -44,8 +44,6 @@ def authorize_web
           redirect_to :controller => "users", :action => "terms", :referer => request.fullpath
         end
       end
-    elsif session[:token]
-      session[:user] = current_user.id if self.current_user = User.authenticate(:token => session[:token])
     end
 
     session[:fingerprint] = current_user.fingerprint if current_user && session[:fingerprint].nil?

app/controllers/confirmations_controller.rb

@@ -15,10 +15,7 @@ class ConfirmationsController < ApplicationController
 
   def confirm
     if request.post?
-      token = params[:confirm_string]
-
-      user = User.find_by_token_for(:new_user, token) ||
-             UserToken.unexpired.find_by(:token => token)&.user
+      user = User.find_by_token_for(:new_user, params[:confirm_string])
 
       if !user
         flash[:error] = t(".unknown token")
@@ -34,7 +31,6 @@ def confirm
         flash[:notice] = gravatar_status_message(user) if gravatar_enable(user)
         user.save!
         referer = safe_referer(params[:referer]) if params[:referer]
-        UserToken.delete_by(:token => token)
 
         pending_user = session.delete(:pending_user)
 
@@ -70,10 +66,7 @@ def confirm_resend
 
   def confirm_email
     if request.post?
-      token = params[:confirm_string]
-
-      self.current_user = User.find_by_token_for(:new_email, token) ||
-                          UserToken.unexpired.find_by(:token => params[:confirm_string])&.user
+      self.current_user = User.find_by_token_for(:new_email, params[:confirm_string])
 
       if current_user&.new_email?
         current_user.email = current_user.new_email
@@ -89,7 +82,6 @@ def confirm_email
         else
           flash[:errors] = current_user.errors
         end
-        current_user.tokens.delete_all
         session[:user] = current_user.id
         session[:fingerprint] = current_user.fingerprint
       elsif current_user

app/controllers/passwords_controller.rb

@@ -19,8 +19,7 @@ def edit
     @title = t ".title"
 
     if params[:token]
-      self.current_user = User.find_by_token_for(:password_reset, params[:token]) ||
-                          UserToken.unexpired.find_by(:token => params[:token])&.user
+      self.current_user = User.find_by_token_for(:password_reset, params[:token])
 
       if current_user.nil?
         flash[:error] = t ".flash token bad"
@@ -51,8 +50,7 @@ def create
 
   def update
     if params[:token]
-      self.current_user = User.find_by_token_for(:password_reset, params[:token]) ||
-                          UserToken.unexpired.find_by(:token => params[:token])&.user
+      self.current_user = User.find_by_token_for(:password_reset, params[:token])
 
       if current_user
         if params[:user]
@@ -62,7 +60,6 @@ def update
           current_user.email_valid = true
 
           if current_user.save
-            UserToken.delete_by(:token => params[:token])
             session[:fingerprint] = current_user.fingerprint
             flash[:notice] = t ".flash changed"
             successful_login(current_user)

app/models/user.rb

@@ -57,7 +57,6 @@ class User < ApplicationRecord
   has_many :muted_messages, -> { where(:to_user_visible => true, :muted => true).order(:sent_on => :desc).preload(:sender, :recipient) }, :class_name => "Message", :foreign_key => :to_user_id
   has_many :friendships, -> { joins(:befriendee).where(:users => { :status => %w[active confirmed] }) }
   has_many :friends, :through => :friendships, :source => :befriendee
-  has_many :tokens, :class_name => "UserToken", :dependent => :destroy
   has_many :preferences, :class_name => "UserPreference"
   has_many :changesets, -> { order(:created_at => :desc) }, :inverse_of => :user
   has_many :changeset_comments, :foreign_key => :author_id, :inverse_of => :author
@@ -165,9 +164,6 @@ def self.authenticate(options)
       else
         user = nil
       end
-    elsif options[:token]
-      token = UserToken.find_by(:token => options[:token])
-      user = token.user if token
     end
 
     if user &&
@@ -177,8 +173,6 @@ def self.authenticate(options)
       user = nil
     end
 
-    token.update(:expiry => 1.week.from_now) if token && user
-
     user
   end
 

db/migrate/20240228205723_drop_user_tokens.rb

@@ -0,0 +1,5 @@
+class DropUserTokens < ActiveRecord::Migration[7.1]
+  def up
+    drop_table :user_tokens
+  end
+end

db/structure.sql

@@ -1532,38 +1532,6 @@ CREATE SEQUENCE public.user_roles_id_seq
 ALTER SEQUENCE public.user_roles_id_seq OWNED BY public.user_roles.id;
 
 
---
--- Name: user_tokens; Type: TABLE; Schema: public; Owner: -
---
-
-CREATE TABLE public.user_tokens (
-    id bigint NOT NULL,
-    user_id bigint NOT NULL,
-    token character varying NOT NULL,
-    expiry timestamp without time zone NOT NULL,
-    referer text
-);
-
-
---
--- Name: user_tokens_id_seq; Type: SEQUENCE; Schema: public; Owner: -
---
-
-CREATE SEQUENCE public.user_tokens_id_seq
-    START WITH 1
-    INCREMENT BY 1
-    NO MINVALUE
-    NO MAXVALUE
-    CACHE 1;
-
-
---
--- Name: user_tokens_id_seq; Type: SEQUENCE OWNED BY; Schema: public; Owner: -
---
-
-ALTER SEQUENCE public.user_tokens_id_seq OWNED BY public.user_tokens.id;
-
-
 --
 -- Name: users; Type: TABLE; Schema: public; Owner: -
 --
@@ -1882,13 +1850,6 @@ ALTER TABLE ONLY public.user_mutes ALTER COLUMN id SET DEFAULT nextval('public.u
 ALTER TABLE ONLY public.user_roles ALTER COLUMN id SET DEFAULT nextval('public.user_roles_id_seq'::regclass);
 
 
---
--- Name: user_tokens id; Type: DEFAULT; Schema: public; Owner: -
---
-
-ALTER TABLE ONLY public.user_tokens ALTER COLUMN id SET DEFAULT nextval('public.user_tokens_id_seq'::regclass);
-
-
 --
 -- Name: users id; Type: DEFAULT; Schema: public; Owner: -
 --
@@ -2280,14 +2241,6 @@ ALTER TABLE ONLY public.user_roles
     ADD CONSTRAINT user_roles_pkey PRIMARY KEY (id);
 
 
---
--- Name: user_tokens user_tokens_pkey; Type: CONSTRAINT; Schema: public; Owner: -
---
-
-ALTER TABLE ONLY public.user_tokens
-    ADD CONSTRAINT user_tokens_pkey PRIMARY KEY (id);
-
-
 --
 -- Name: users users_pkey; Type: CONSTRAINT; Schema: public; Owner: -
 --
@@ -2901,20 +2854,6 @@ CREATE INDEX user_id_idx ON public.friends USING btree (friend_user_id);
 CREATE UNIQUE INDEX user_roles_id_role_unique ON public.user_roles USING btree (user_id, role);
 
 
---
--- Name: user_tokens_token_idx; Type: INDEX; Schema: public; Owner: -
---
-
-CREATE UNIQUE INDEX user_tokens_token_idx ON public.user_tokens USING btree (token);
-
-
---
--- Name: user_tokens_user_id_idx; Type: INDEX; Schema: public; Owner: -
---
-
-CREATE INDEX user_tokens_user_id_idx ON public.user_tokens USING btree (user_id);
-
-
 --
 -- Name: users_auth_idx; Type: INDEX; Schema: public; Owner: -
 --
@@ -3490,14 +3429,6 @@ ALTER TABLE ONLY public.user_roles
     ADD CONSTRAINT user_roles_user_id_fkey FOREIGN KEY (user_id) REFERENCES public.users(id);
 
 
---
--- Name: user_tokens user_tokens_user_id_fkey; Type: FK CONSTRAINT; Schema: public; Owner: -
---
-
-ALTER TABLE ONLY public.user_tokens
-    ADD CONSTRAINT user_tokens_user_id_fkey FOREIGN KEY (user_id) REFERENCES public.users(id);
-
-
 --
 -- Name: way_nodes way_nodes_id_fkey; Type: FK CONSTRAINT; Schema: public; Owner: -
 --
@@ -3581,6 +3512,7 @@ INSERT INTO "schema_migrations" (version) VALUES
 ('23'),
 ('22'),
 ('21'),
+('20240228205723'),
 ('20240117185445'),
 ('20231213182102'),
 ('20231206141457'),

script/cleanup

@@ -2,7 +2,6 @@
 
 require File.join(File.dirname(__FILE__), "..", "config", "environment")
 
-UserToken.where("expiry < NOW()").delete_all
 OauthNonce.where("timestamp < EXTRACT(EPOCH FROM NOW() - INTERVAL '1 day')").delete_all
 OauthToken.where("invalidated_at < NOW() - INTERVAL '28 days'").delete_all
 RequestToken.where("authorized_at IS NULL AND created_at < NOW() - INTERVAL '28 days'").delete_all