From d17c8df926df8a72e44edc4ee60134c38718f416 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?R=C3=A9gis=20Hanol?= Date: Fri, 26 Oct 2018 00:29:28 +0200 Subject: [PATCH] Only check for suspicious login for staff members --- app/models/user_auth_token.rb | 29 ++++++++++--------- lib/auth/default_current_user_provider.rb | 10 ++++--- spec/jobs/suspicious_login_spec.rb | 2 +- .../user_auth_token_serializer_spec.rb | 4 +-- 4 files changed, 25 insertions(+), 20 deletions(-) diff --git a/app/models/user_auth_token.rb b/app/models/user_auth_token.rb index 2c066b4255d..b36af49d815 100644 --- a/app/models/user_auth_token.rb +++ b/app/models/user_auth_token.rb @@ -50,6 +50,8 @@ class UserAuthToken < ActiveRecord::Base end def self.is_suspicious(user_id, user_ip) + return false unless User.find_by(id: user_id)&.staff? + ips = UserAuthTokenLog.where(user_id: user_id).pluck(:client_ip) ips.delete_at(ips.index(user_ip) || ips.length) # delete one occurance (current) ips.uniq! @@ -59,13 +61,13 @@ class UserAuthToken < ActiveRecord::Base ips.none? { |ip| user_location == login_location(ip) } end - def self.generate!(info) + def self.generate!(user_id: , user_agent: nil, client_ip: nil, path: nil, staff: nil) token = SecureRandom.hex(16) hashed_token = hash_token(token) user_auth_token = UserAuthToken.create!( - user_id: info[:user_id], - user_agent: info[:user_agent], - client_ip: info[:client_ip], + user_id: user_id, + user_agent: user_agent, + client_ip: client_ip, auth_token: hashed_token, prev_auth_token: hashed_token, rotated_at: Time.zone.now @@ -74,22 +76,23 @@ class UserAuthToken < ActiveRecord::Base log(action: 'generate', user_auth_token_id: user_auth_token.id, - user_id: info[:user_id], - user_agent: info[:user_agent], - client_ip: info[:client_ip], - path: info[:path], + user_id: user_id, + user_agent: user_agent, + client_ip: client_ip, + path: path, auth_token: hashed_token) - Jobs.enqueue(:suspicious_login, - user_id: info[:user_id], - client_ip: info[:client_ip], - user_agent: info[:user_agent]) + if staff + Jobs.enqueue(:suspicious_login, + user_id: user_id, + client_ip: client_ip, + user_agent: user_agent) + end user_auth_token end def self.lookup(unhashed_token, opts = nil) - mark_seen = opts && opts[:seen] token = hash_token(unhashed_token) diff --git a/lib/auth/default_current_user_provider.rb b/lib/auth/default_current_user_provider.rb index e4badae622f..7ecf7c2392a 100644 --- a/lib/auth/default_current_user_provider.rb +++ b/lib/auth/default_current_user_provider.rb @@ -150,10 +150,12 @@ class Auth::DefaultCurrentUserProvider end def log_on_user(user, session, cookies) - @user_token = UserAuthToken.generate!(user_id: user.id, - user_agent: @env['HTTP_USER_AGENT'], - path: @env['REQUEST_PATH'], - client_ip: @request.ip) + @user_token = UserAuthToken.generate!( + user_id: user.id, + user_agent: @env['HTTP_USER_AGENT'], + path: @env['REQUEST_PATH'], + client_ip: @request.ip, + staff: user.staff?) cookies[TOKEN_COOKIE] = cookie_hash(@user_token.unhashed_auth_token) unstage_user(user) diff --git a/spec/jobs/suspicious_login_spec.rb b/spec/jobs/suspicious_login_spec.rb index 836bac3d185..b7e63bfd3c0 100644 --- a/spec/jobs/suspicious_login_spec.rb +++ b/spec/jobs/suspicious_login_spec.rb @@ -2,7 +2,7 @@ require 'rails_helper' describe Jobs::SuspiciousLogin do - let(:user) { Fabricate(:user) } + let(:user) { Fabricate(:moderator) } before do UserAuthToken.stubs(:login_location).with("1.1.1.1").returns("Location 1") diff --git a/spec/serializers/user_auth_token_serializer_spec.rb b/spec/serializers/user_auth_token_serializer_spec.rb index ef8f9f7cc90..93d94f76edb 100644 --- a/spec/serializers/user_auth_token_serializer_spec.rb +++ b/spec/serializers/user_auth_token_serializer_spec.rb @@ -2,8 +2,8 @@ require 'rails_helper' describe UserAuthTokenSerializer do - let(:user) { Fabricate(:user) } - let(:token) { UserAuthToken.generate!(user_id: user.id, client_ip: '2a02:ea00::') } + let(:user) { Fabricate(:moderator) } + let(:token) { UserAuthToken.generate!(user_id: user.id, client_ip: '2a02:ea00::', staff: true) } before(:each) do DiscourseIpInfo.open_db(File.join(Rails.root, 'spec', 'fixtures', 'mmdb'))