Add 'expire' to filter invalid tokens

2025-06-05 23:29:12 +02:00 · 2018-11-19 18:41:11 -06:00
parent b535de690e
commit ad20d6359b
2 changed files with 3 additions and 2 deletions
--- a/src/invidious/users.cr
+++ b/src/invidious/users.cr
@ -203,7 +203,7 @@ end
 def create_response(user_id, operation, key, db, expire = 6.hours)
  expire = Time.now + expire
  nonce = Random::Secure.hex(16)
-  db.exec("INSERT INTO nonces VALUES ($1) ON CONFLICT DO NOTHING", nonce)
+  db.exec("INSERT INTO nonces VALUES ($1, $2) ON CONFLICT DO NOTHING", nonce, expire)

  challenge = "#{expire.to_unix}-#{nonce}-#{user_id}-#{operation}"
  token = OpenSSL::HMAC.digest(:sha256, key, challenge)