summaryrefslogtreecommitdiffstats
path: root/server.lua
diff options
context:
space:
mode:
authorKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2013-03-15 12:42:16 +0200
committerKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2013-03-15 12:42:16 +0200
commit249ba17326502ee6ef26808c84df1829175a441f (patch)
tree87e2059821e433dcee9afde0c865fdd2caa07875 /server.lua
parent6400d3b0f3576ca3bc1278fe6706d7de7fffe1fe (diff)
downloadaconf-249ba17326502ee6ef26808c84df1829175a441f.tar.bz2
aconf-249ba17326502ee6ef26808c84df1829175a441f.tar.xz
more secure session management
use random identifiers bind open transactions to the session
Diffstat (limited to 'server.lua')
-rw-r--r--server.lua39
1 files changed, 19 insertions, 20 deletions
diff --git a/server.lua b/server.lua
index 592e1e1..0bd5553 100644
--- a/server.lua
+++ b/server.lua
@@ -10,16 +10,11 @@ require 'json'
require 'stringy'
--- TODO shared storage for login sessions
-local last_sid = 0
-local sessions = {}
-
--- TODO implement transactions as threads or store their state in
--- shared storage
-local last_txn_id = 0
-local txns = {}
+math.randomseed(os.time())
--- TODO expire stale sessions and transactions
+-- TODO shared storage for sessions
+-- TODO expire stale sessions
+local sessions = {}
return function(env)
@@ -57,16 +52,17 @@ return function(env)
end
local sid = tonumber(env.HTTP_X_ACF_AUTH_TOKEN)
- local user, txn_id
+ local session, user, txn_id
if sid then
- user = sessions[sid]
- if not user then return wrap(401) end
+ session = sessions[sid]
+ if not session then return wrap(401) end
+ user = session.user
txn_id = tonumber(env.HTTP_X_ACF_TRANSACTION_ID)
end
local parent_txn
if txn_id then
- parent_txn = txns[txn_id]
+ parent_txn = session.txns[txn_id]
if not parent_txn then
return wrap(400, nil, 'Invalid transaction ID')
end
@@ -88,9 +84,12 @@ return function(env)
end
fetch_user(data.username)
if user and user:check_password(data.password) then
- last_sid = last_sid + 1
- local sid = last_sid
- sessions[sid] = data.username
+ local sid
+ repeat
+ sid = math.floor(math.random() * 2^32)
+ until not sessions[sid]
+
+ sessions[sid] = {user=data.username, last_txn_id=0, txns={}}
return wrap(204, {['X-ACF-Auth-Token']=sid})
end
return wrap(401)
@@ -163,15 +162,15 @@ return function(env)
if ({DELETE=true, PUT=true})[method] then
if not txn_id then return 405 end
if method == 'PUT' then parent_txn:commit() end
- txns[txn_id] = nil
+ session.txns[txn_id] = nil
return 204
end
if method ~= 'POST' then return 405 end
- last_txn_id = last_txn_id + 1
- local txn_id = last_txn_id
- txns[txn_id] = acf.transaction.start(parent_txn)
+ session.last_txn_id = session.last_txn_id + 1
+ local txn_id = session.last_txn_id
+ session.txns[txn_id] = acf.transaction.start(parent_txn)
return 204, {['X-ACF-Transaction-ID']=txn_id}
end