Skip to content
This repository has been archived by the owner on May 27, 2024. It is now read-only.

Commit

Permalink
do not check session_expires_at for guest users that do not login l…
Browse files Browse the repository at this point in the history 
…ocally
  • Loading branch information
François Kooman committed May 6, 2020
1 parent 7864f1b commit 390f1db
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 7 deletions.
3 changes: 3 additions & 0 deletions CHANGES.md
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
# Changelog

## 2.2.1 (2020-05-06)
- do not check `session_expires_at` for guest users that do not login locally

## 2.2.0 (2020-05-03)
- better logging in case permissions for connecting to VPN are not available
- log user login with updated permissions/expiry times
Expand Down
22 changes: 15 additions & 7 deletions src/Api/ConnectionsModule.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,13 +132,21 @@ private function verifyConnection($profileId, $commonName)

$userId = $result['user_id'];

// this is always string, but DB gives back scalar|null
$sessionExpiresAt = new DateTime((string) $this->storage->getSessionExpiresAt($userId));
if ($sessionExpiresAt->getTimestamp() < $this->dateTime->getTimestamp()) {
$errMsg = sprintf('[VPN] the certificate is still valid, but the session expired at %s', $sessionExpiresAt->format(DateTime::ATOM));
$this->storage->addUserMessage($userId, 'notification', $errMsg);

return new ApiErrorResponse('connect', $errMsg);
if (false === strpos($userId, '!!')) {
// FIXME "!!" indicates it is a remote guest user coming in with a
// foreign OAuth token, for those we do NOT check expiry.. this is
// really ugly hack, we need to get rid of sessionExpiresAt
// completely instead! This check is skipped when a non remote
// guest user id contains '!!' for some reason...
//
// this is always string, but DB gives back scalar|null
$sessionExpiresAt = new DateTime((string) $this->storage->getSessionExpiresAt($userId));
if ($sessionExpiresAt->getTimestamp() < $this->dateTime->getTimestamp()) {
$errMsg = sprintf('[VPN] the certificate is still valid, but the session expired at %s', $sessionExpiresAt->format(DateTime::ATOM));
$this->storage->addUserMessage($userId, 'notification', $errMsg);

return new ApiErrorResponse('connect', $errMsg);
}
}

if ($result['user_is_disabled']) {
Expand Down

0 comments on commit 390f1db

Please sign in to comment.