Prune expired auth requests + add global max limit. Closes #2490
This commit is contained in:
Gabe Kangas
@@ -2,9 +2,13 @@ package fediverse
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"errors"
|
||||
"io"
|
||||
"strings"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
log "github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
// OTPRegistration represents a single OTP request.
|
||||
@@ -18,19 +22,53 @@ type OTPRegistration struct {
|
||||
|
||||
// Key by access token to limit one OTP request for a person
|
||||
// to be active at a time.
|
||||
var pendingAuthRequests = make(map[string]OTPRegistration)
|
||||
var (
|
||||
pendingAuthRequests = make(map[string]OTPRegistration)
|
||||
lock = sync.Mutex{}
|
||||
)
|
||||
|
||||
const registrationTimeout = time.Minute * 10
|
||||
const (
|
||||
registrationTimeout = time.Minute * 10
|
||||
maxPendingRequests = 1000
|
||||
)
|
||||
|
||||
func init() {
|
||||
go setupExpiredRequestPruner()
|
||||
}
|
||||
|
||||
// Clear out any pending requests that have been pending for greater than
|
||||
// the specified timeout value.
|
||||
func setupExpiredRequestPruner() {
|
||||
pruneExpiredRequestsTimer := time.NewTicker(registrationTimeout)
|
||||
|
||||
for range pruneExpiredRequestsTimer.C {
|
||||
lock.Lock()
|
||||
log.Debugln("Pruning expired OTP requests.")
|
||||
for k, v := range pendingAuthRequests {
|
||||
if time.Since(v.Timestamp) > registrationTimeout {
|
||||
delete(pendingAuthRequests, k)
|
||||
}
|
||||
}
|
||||
lock.Unlock()
|
||||
}
|
||||
}
|
||||
|
||||
// RegisterFediverseOTP will start the OTP flow for a user, creating a new
|
||||
// code and returning it to be sent to a destination.
|
||||
func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string) (OTPRegistration, bool) {
|
||||
func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string) (OTPRegistration, bool, error) {
|
||||
request, requestExists := pendingAuthRequests[accessToken]
|
||||
|
||||
// If a request is already registered and has not expired then return that
|
||||
// existing request.
|
||||
if requestExists && time.Since(request.Timestamp) < registrationTimeout {
|
||||
return request, false
|
||||
return request, false, nil
|
||||
}
|
||||
|
||||
lock.Lock()
|
||||
defer lock.Unlock()
|
||||
|
||||
if len(pendingAuthRequests)+1 > maxPendingRequests {
|
||||
return request, false, errors.New("Please try again later. Too many pending requests.")
|
||||
}
|
||||
|
||||
code, _ := createCode()
|
||||
@@ -43,7 +81,7 @@ func RegisterFediverseOTP(accessToken, userID, userDisplayName, account string)
|
||||
}
|
||||
pendingAuthRequests[accessToken] = r
|
||||
|
||||
return r, true
|
||||
return r, true, nil
|
||||
}
|
||||
|
||||
// ValidateFediverseOTP will verify a OTP code for a auth request.
|
||||
@@ -54,6 +92,9 @@ func ValidateFediverseOTP(accessToken, code string) (bool, *OTPRegistration) {
|
||||
return false, nil
|
||||
}
|
||||
|
||||
lock.Lock()
|
||||
defer lock.Unlock()
|
||||
|
||||
delete(pendingAuthRequests, accessToken)
|
||||
return true, &request
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user