Added garbage collection for expired and defunct tokens in database.

This commit is contained in:
Danny Bessems 2019-12-10 15:57:06 +00:00
parent 6f53abf521
commit 3111185c10
6 changed files with 146 additions and 12 deletions

View File

@ -38,10 +38,11 @@ function authenticateLDAP (string $username, string $password) {
$commonName = ldap_get_entries($ds, $ldapSearchResults)[0]['cn'][0]; $commonName = ldap_get_entries($ds, $ldapSearchResults)[0]['cn'][0];
// Create JWT-payload // Create JWT-payload
$jwtPayload = [ $jwtPayload = [
'iat' => time(), // Issued at: time when the token was generated 'iat' => time(), // Issued at: time when the token was generated
'iss' => $_SERVER['SERVER_NAME'], // Issuer 'iss' => $_SERVER['SERVER_NAME'], // Issuer
'sub' => $qualifiedUsername, // Subject (ie. username) 'sub' => $qualifiedUsername, // Subject (ie. username)
'name' => $commonName // Common name (as retrieved from AD) 'name' => $commonName, // Common name (as retrieved from AD)
'fp' => base64_encode(json_encode(get_browser(null, True))) // Fingerprint (based on `HTTP_USER_AGENT`)
]; ];
$secureToken = JWT::encode($jwtPayload, base64_decode($settings->JWT['PrivateKey_base64'])); $secureToken = JWT::encode($jwtPayload, base64_decode($settings->JWT['PrivateKey_base64']));
@ -121,8 +122,8 @@ function validateToken (string $secureToken) {
WHERE LOWER(User.Username) = :username WHERE LOWER(User.Username) = :username
'); ');
$pdoQuery->execute([ $pdoQuery->execute([
':username' => (string) strtolower($jwtPayload->sub) ':username' => (string) strtolower($jwtPayload->sub)
]); ]);
foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) { foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) {
try { try {
$storedTokens[] = JWT::decode($row['Value'], base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']); $storedTokens[] = JWT::decode($row['Value'], base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']);
@ -136,7 +137,9 @@ function validateToken (string $secureToken) {
if (!empty($storedTokens) && sizeof(array_filter($storedTokens, function ($value) use ($jwtPayload) { if (!empty($storedTokens) && sizeof(array_filter($storedTokens, function ($value) use ($jwtPayload) {
return $value->iat === $jwtPayload->iat; return $value->iat === $jwtPayload->iat;
})) === 1) { })) === 1) {
return [ purgeTokens($currentUserId, $settings->Session['Duration']);
return [
'status' => 'Success', 'status' => 'Success',
'name' => $jwtPayload->name, 'name' => $jwtPayload->name,
'uid' => $currentUserId 'uid' => $currentUserId
@ -149,4 +152,54 @@ function validateToken (string $secureToken) {
} }
} }
function purgeTokens(int $userID, int $maximumTokenAge) {
global $settings, $pdoDB;
$defunctTokens = []; $expiredTokens = [];
$pdoQuery = $pdoDB->prepare('
SELECT SecureToken.Id, SecureToken.Value
FROM SecureToken
WHERE SecureToken.UserId = :userid
');
$pdoQuery->execute([
':userid' => (int) $userID
]);
foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) {
try {
$token = JWT::decode($row['Value'], base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']);
if ($token->iat < (time() - $maximumTokenAge)) {
$expiredTokens[] = $row['Id'];
}
} catch (Exception $e) {
$defunctTokens[] = $row['Id'];
}
}
try {
// Sadly, PDO does not support named parameters in constructions like 'IN ( :array )'
// instead, the supported syntax is unnamed placeholders like 'IN (?, ?, ?, ...)'
$pdoQuery = $pdoDB->prepare('
DELETE FROM SecureToken
WHERE SecureToken.Id IN (' . implode( ',', array_fill(0, count(array_merge($defunctTokens, $expiredTokens)), '?')) . ')
');
$pdoQuery->execute(array_merge($defunctTokens, $expiredTokens));
if ($settings->Debug['LogToFile']) {
file_put_contents('../purgeToken.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- Garbage collection succeeded (' . $userID . ' => ' . $pdoQuery->rowCount() . ')' . PHP_EOL, FILE_APPEND);
}
return [
'status' => 'Success',
'amount' => $pdoQuery->rowCount()
];
} catch (Exception $e) {
if ($settings->Debug['LogToFile']) {
file_put_contents('../purgeToken.log', (new DateTime())->format('Y-m-d\TH:i:s.u') . ' --- Garbage collection failed (' . $userID . ' => ' . $e . ')' . PHP_EOL, FILE_APPEND);
}
return ['status' => 'Fail', 'reason' => $e];
}
}
?> ?>

View File

@ -130,6 +130,22 @@ $contentLayout['manage']['section'] = <<<'MANAGE_SECTION'
%1$s %1$s
</tbody> </tbody>
</table> </table>
<div id="sessions">
<span data-translation="label_sessions" style="float: left; margin-left: 5px;">Sessions</span>
<br>
<table id="sessiontable">
<thead>
<tr>
<th data-translation="th_timestamp">Timestamp</th>
<th data-translation="th_origin">&lt;origin&gt;</th>
<th data-translation="th_description">Description</th>
<th data-translation="th_manage">Manage</th>
</tr>
</thead>
<tbody>
</tbody>
</table>
</div>
</li> </li>
</ul> </ul>
MANAGE_SECTION; MANAGE_SECTION;

View File

@ -9,23 +9,36 @@
if ($validateTokenResult['status'] === "Success") { if ($validateTokenResult['status'] === "Success") {
if ($_REQUEST['do'] === 'retrievesessions') { if ($_REQUEST['do'] === 'retrievesessions') {
$storedTokens = [];
$pdoQuery = $pdoDB->prepare(' $pdoQuery = $pdoDB->prepare('
SELECT SecureToken.Id, SecureToken.UserId, SecureToken.Value SELECT SecureToken.Id, SecureToken.UserId, SecureToken.Value
FROM SecureToken FROM SecureToken
WHERE SecureToken.Id = :userid WHERE SecureToken.UserId = :userid
'); ');
$pdoQuery->execute([ $pdoQuery->execute([
':userid' => (int) $_REQUEST['userid'] ':userid' => (int) $_REQUEST['userid']
]); ]);
foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) { foreach($pdoQuery->fetchAll(PDO::FETCH_ASSOC) as $row) {
//bla try {
$JWTPayload = JWT::decode($row['Value'], base64_decode($settings->JWT['PrivateKey_base64']), $settings->JWT['Algorithm']);
$storedTokens[] = [
'iat' => $JWTPayload->iat,
'iss' => $JWTPayload->iss,
'fp' => $JWTPayload->fp
];
} catch (Exception $e) {
// Invalid token
continue;
}
} }
// Return JSON object // Return JSON object
header('Content-Type: application/json'); header('Content-Type: application/json');
echo json_encode([ echo json_encode([
"Result" => "Success", "Result" => "Success",
"UserSessions" => json_encode( $moo ) "SessionCount" => sizeof($storedTokens),
"UserSessions" => json_encode($storedTokens)
]); ]);
} else { } else {
// No action requested, default action // No action requested, default action

View File

@ -2,14 +2,43 @@ $(document).ready(function(){
// Initialize the editable-table functionality // Initialize the editable-table functionality
$('#usertable').editableTableWidget(); $('#usertable').editableTableWidget();
// Prevent clicking *through* popup-screens
$('#sessions').click(function(event) {
event.stopPropagation();
});
// Add eventhandlers to buttons // Add eventhandlers to buttons
$('#usertable button.session').click(function() { $('#usertable button.session').click(function() {
event.stopPropagation();
$('#sessions tbody').empty();
$('#sessions').fadeToggle();
$.post("lucidAuth.manage.php", { $.post("lucidAuth.manage.php", {
do: "retrievesessions", do: "retrievesessions",
userid: $(this).closest('tr').find('td:nth-child(1)').data('userid') userid: $(this).closest('tr').find('td:nth-child(1)').data('userid')
}) })
.done(function(data,_status) { .done(function(data,_status) {
if (data.Result === 'Success') { if (data.Result === 'Success') {
var Sessions = JSON.parse(data.UserSessions);
for (var i = 0; i < data.SessionCount; i++) {
try {
var Fingerprint = JSON.parse(atob(Sessions[i]['fp']));
} catch(e) {
// Do nothing
}
$('#sessiontable tbody').append($('<tr>')
.append($('<td>', {
text: new Date(Sessions[i]['iat'] * 1000).toLocaleString('en-GB')
}))
.append($('<td>', {
text: Sessions[i]['iss']
}))
.append($('<td>', {
// text: Sessions[i]['fp'] ? atob(Sessions[i]['fp'])['browser'] + '(' + atob(Sessions[i]['fp'])['platform'] + ')' : ''
text: Fingerprint ? Fingerprint['browser'] + ' (' + Fingerprint['platform'] + ')' : ''
}))
);
}
} else { } else {
} }
}); });
@ -107,4 +136,8 @@ console.log({'new': newEntries, 'removed': removedEntries});
} }
}); });
});
$(document).click(function () {
$('#sessions').fadeOut();
}); });

View File

@ -7,7 +7,8 @@ var locales = {
button_delete: "delete", button_delete: "delete",
button_login: "login", button_login: "login",
heading_error: "ERROR!", heading_error: "ERROR!",
label_password: "Password:", label_password: "Password:",
label_sessions: "Sessions",
label_username: "Username:", label_username: "Username:",
link_logout: "Logout", link_logout: "Logout",
span_credentialsavailable: "Login credentials available upon request!", span_credentialsavailable: "Login credentials available upon request!",
@ -24,7 +25,8 @@ var locales = {
button_delete: "verwijder", button_delete: "verwijder",
button_login: "log in", button_login: "log in",
heading_error: "FOUT!", heading_error: "FOUT!",
label_password: "Wachtwoord:", label_password: "Wachtwoord:",
label_sessions: "Sessies",
label_username: "Gebruikersnaam:", label_username: "Gebruikersnaam:",
link_logout: "Log uit", link_logout: "Log uit",
span_credentialsavailable: "Inloggegevens verkrijgbaar op aanvraag!", span_credentialsavailable: "Inloggegevens verkrijgbaar op aanvraag!",

View File

@ -129,6 +129,23 @@ body {
.main section .buttons button { .main section .buttons button {
margin-left: inherit; margin-left: inherit;
} }
.main section #sessions {
display: none;
position: absolute;
top: calc(50% - 160px);
right: 20%;
height: 320px;
width: 60%;
border: 1px solid rgb(0, 51, 153);
box-shadow: black 0px 0px 20px;
box-sizing: border-box;
padding-top: 5px;
background: white;
font-size: inherit;
font-weight: bold;
z-index: 99;
overflow-y: auto;
}
.main section table { .main section table {
width: 100%; width: 100%;
} }