Merge branch 'dev' into feature/blog

2025-04-29 22:06:37 +01:00 · 2025-04-29 22:06:37 +01:00 · 99e5eb290f
commit 99e5eb290f
parent 0796ea8fde 562ed2e015
10 changed files with 172 additions and 19 deletions
--- a/controller/account.go
+++ b/controller/account.go
@ -110,3 +110,26 @@ func DeleteAccount(db *sqlx.DB, accountID string) error {
    _, err := db.Exec("DELETE FROM account WHERE id=$1", accountID)
    return err
 }
+
+func IncrementAccountFails(db *sqlx.DB, accountID string) (bool, error) {
+	failAttempts := 0
+	err := db.Get(&failAttempts, "UPDATE account SET fail_attempts = fail_attempts + 1 WHERE id=$1 RETURNING fail_attempts", accountID)
+	if err != nil { return false, err }
+	locked := false
+	if failAttempts >= model.MAX_LOGIN_FAIL_ATTEMPTS {
+		err = LockAccount(db, accountID)
+		if err != nil { return false, err }
+		locked = true
+	}
+	return locked, err
+}
+
+func LockAccount(db *sqlx.DB, accountID string) error {
+	_, err := db.Exec("UPDATE account SET locked = true WHERE id=$1", accountID)
+	return err
+}
+
+func UnlockAccount(db *sqlx.DB, accountID string) error {
+	_, err := db.Exec("UPDATE account SET locked = false, fail_attempts = 0 WHERE id=$1", accountID)
+	return err
+}
--- a/controller/migrator.go
+++ b/controller/migrator.go
@ -8,7 +8,7 @@ import (
 	"github.com/jmoiron/sqlx"
 )

-const DB_VERSION int = 3
+const DB_VERSION int = 4

 func CheckDBVersionAndMigrate(db *sqlx.DB) {
    db.MustExec("CREATE SCHEMA IF NOT EXISTS arimelody")
@ -45,6 +45,10 @@ func CheckDBVersionAndMigrate(db *sqlx.DB) {
            ApplyMigration(db, "002-audit-logs")
            oldDBVersion = 3

+        case 3:
+            ApplyMigration(db, "003-fail-lock")
+            oldDBVersion = 4
+
        }
    }

--- a/controller/session.go
+++ b/controller/session.go
@ -8,6 +8,7 @@ import (
 	"strings"
 	"time"

+	"arimelody-web/log"
 	"arimelody-web/model"

 	"github.com/jmoiron/sqlx"
@ -15,7 +16,7 @@ import (

 const TOKEN_LEN = 64

-func GetSessionFromRequest(db *sqlx.DB, r *http.Request) (*model.Session, error) {
+func GetSessionFromRequest(app *model.AppState, r *http.Request) (*model.Session, error) {
    sessionCookie, err := r.Cookie(model.COOKIE_TOKEN)
    if err != nil && err != http.ErrNoCookie {
        return nil, errors.New(fmt.Sprintf("Failed to retrieve session cookie: %v", err))
@ -25,14 +26,26 @@ func GetSessionFromRequest(db *sqlx.DB, r *http.Request) (*model.Session, error)

    if sessionCookie != nil {
        // fetch existing session
-        session, err = GetSession(db, sessionCookie.Value)
+        session, err = GetSession(app.DB, sessionCookie.Value)

        if err != nil && !strings.Contains(err.Error(), "no rows") {
            return nil, errors.New(fmt.Sprintf("Failed to retrieve session: %v", err))
        }

        if session != nil {
-            // TODO: consider running security checks here (i.e. user agent mismatches)
+			if session.UserAgent != r.UserAgent() {
+				msg := "Session user agent mismatch. A cookie may have been hijacked!"
+				if session.Account != nil {
+					account, _ := GetAccountByID(app.DB, session.Account.ID)
+					msg += " (Account \"" + account.Username + "\")"
+				}
+				app.Log.Warn(log.TYPE_ACCOUNT, msg)
+				err = DeleteSession(app.DB, session.Token)
+				if err != nil {
+					app.Log.Warn(log.TYPE_ACCOUNT, "Failed to delete affected session")
+				}
+				return nil, nil
+			}
        }
    }