Store session_ids in separate table

2025-12-16 04:58:29 +00:00 · 2019-02-10 12:33:29 -06:00
parent 8bbf351d04
commit 3646395f1d
4 changed files with 58 additions and 25 deletions
--- a/src/invidious.cr
+++ b/src/invidious.cr
@@ -163,9 +163,10 @@ before_all do |env|

    # Invidious users only have SID
    if !env.request.cookies.has_key? "SSID"
-      user = PG_DB.query_one?("SELECT * FROM users WHERE $1 = ANY(id)", sid, as: User)
+      email = PG_DB.query_one?("SELECT email FROM session_ids WHERE id = $1", sid, as: String)

-      if user
+      if email
+        user = PG_DB.query_one("SELECT * FROM users WHERE email = $1", email, as: User)
        challenge, token = create_response(user.email, "sign_out", HMAC_KEY, PG_DB, 1.week)

        env.set "challenge", challenge
@@ -177,7 +178,7 @@ before_all do |env|
      end
    else
      begin
-        user = get_user(sid, headers, PG_DB, false)
+        user, sid = get_user(sid, headers, PG_DB, false)

        challenge, token = create_response(user.email, "sign_out", HMAC_KEY, PG_DB, 1.week)
        env.set "challenge", challenge
@@ -312,7 +313,7 @@ get "/watch" do |env|
  end

  if watched && !watched.includes? id
-    PG_DB.exec("UPDATE users SET watched = watched || $1 WHERE $2 = id", [id], user.as(User).id)
+    PG_DB.exec("UPDATE users SET watched = watched || $1 WHERE email = $2", [id], user.as(User).email)
  end

  if nojs
@@ -880,7 +881,7 @@ post "/login" do |env|

      sid = login.cookies["SID"].value

-      user = get_user(sid, headers, PG_DB)
+      user, sid = get_user(sid, headers, PG_DB)

      # We are now logged in

@@ -986,7 +987,7 @@ post "/login" do |env|

      if Crypto::Bcrypt::Password.new(user.password.not_nil!) == password
        sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
-        PG_DB.exec("UPDATE users SET id = id || $1 WHERE LOWER(email) = LOWER($2)", [sid], email)
+        PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.now)

        if Kemal.config.ssl || CONFIG.https_only
          secure = true
@@ -1024,13 +1025,14 @@ post "/login" do |env|
      end

      sid = Base64.urlsafe_encode(Random::Secure.random_bytes(32))
-      user = create_user(sid, email, password)
+      user, sid = create_user(sid, email, password)
      user_array = user.to_a

      user_array[5] = user_array[5].to_json
      args = arg_array(user_array)

      PG_DB.exec("INSERT INTO users VALUES (#{args})", user_array)
+      PG_DB.exec("INSERT INTO session_ids VALUES ($1, $2, $3)", sid, email, Time.now)

      view_name = "subscriptions_#{sha256(user.email)[0..7]}"
      PG_DB.exec("CREATE MATERIALIZED VIEW #{view_name} AS \
@@ -1078,7 +1080,7 @@ get "/signout" do |env|

    user = env.get("user").as(User)
    sid = env.get("sid").as(String)
-    PG_DB.exec("UPDATE users SET id = array_remove(id, $1) WHERE email = $2", sid, user.email)
+    PG_DB.exec("DELETE FROM session_ids * WHERE id = $1", sid)

    env.request.cookies.each do |cookie|
      cookie.expires = Time.new(1990, 1, 1)
@@ -1252,7 +1254,7 @@ get "/mark_watched" do |env|
  if user
    user = user.as(User)
    if !user.watched.includes? id
-      PG_DB.exec("UPDATE users SET watched = watched || $1 WHERE $2 = id", [id], user.id)
+      PG_DB.exec("UPDATE users SET watched = watched || $1 WHERE email = $2", [id], user.email)
    end
  end

@@ -1347,9 +1349,10 @@ get "/subscription_manager" do |env|
  locale = LOCALES[env.get("locale").as(String)]?

  user = env.get? "user"
+  sid = env.get? "sid"
  referer = get_referer(env, "/")

-  if !user
+  if !user && !sid
    next env.redirect referer
  end

@@ -1360,7 +1363,7 @@ get "/subscription_manager" do |env|
    headers = HTTP::Headers.new
    headers["Cookie"] = env.request.headers["Cookie"]

-    user = get_user(user.id[0], headers, PG_DB)
+    user, sid = get_user(sid, headers, PG_DB)
  end

  action_takeout = env.params.query["action_takeout"]?.try &.to_i?
@@ -1756,10 +1759,12 @@ get "/feed/subscriptions" do |env|
  locale = LOCALES[env.get("locale").as(String)]?

  user = env.get? "user"
+  sid = env.get? "sid"
  referer = get_referer(env)

  if user
    user = user.as(User)
+    sid = sid.as(String)
    preferences = user.preferences

    if preferences.unseen_only
@@ -1771,7 +1776,7 @@ get "/feed/subscriptions" do |env|
    headers["Cookie"] = env.request.headers["Cookie"]

    if !user.password
-      user = get_user(user.id[0], headers, PG_DB)
+      user, sid = get_user(sid, headers, PG_DB)
    end

    max_results = preferences.max_results