2022-02-27 22:21:37 (UTC-03:00)

Marcel Rodrigues <marcelgmr@gmail.com>

use cookies for session management

diff --git a/app.lua b/app.lua
index 14f3a57..b891752 100644
--- a/app.lua
+++ b/app.lua
@@ -68,12 +68,24 @@ local conf = dofile(path.."/conf.lua")
 git.init()
 local groups = scan.scanrepos(path)
 
-local me
+local sessions = {}
+
+local function get_user(cookies)
+    local session_id = cookies["sid"]
+    if session_id == nil then
+        return nil
+    end
+    local uname = sessions[session_id]
+    if uname == nil then
+        return nil
+    end
+    return conf.users[uname]
+end
 
 local routes = {
     {"GET", "/?",
     function (req)
-        local user = conf.users[me]
+        local user = get_user(req.cookies)
         local gnames = {}
         for gname in pairs(groups) do
             if allowed(user, gname) then
@@ -101,9 +113,11 @@ local routes = {
             salt = lud.crypt.b64_dec(user.salt)
             h = hash.hash_pass(pass, salt)
             if h == lud.crypt.b64_dec(user.hash) then
-                me = uname
+                local session_id = lud.crypt.b64_enc(lud.crypt.uuid4())
+                sessions[session_id] = uname
                 conf.log(LOG_INFO, "logged in as "..uname)
-                return "/", 303
+                local cookie = {key="sid", val=session_id, path="/", age=2*60*60}
+                return "/", 303, "See Other", {cookie}
             else
                 conf.log(LOG_INFO, "invalid password")
             end
@@ -112,12 +126,15 @@ local routes = {
     end},
     {"GET", "/logout",
     function (req)
-        me = nil
+        local session_id = req.cookies["sid"]
+        if session_id ~= nil then
+            sessions[session_id] = nil
+        end
         return "/", 303
     end},
     {"GET", "/group/([%w_-]+)",
     function (req, gname)
-        local user = conf.users[me]
+        local user = get_user(req.cookies)
         if not allowed(user, gname) then
             return "/login", 303
         end
@@ -130,7 +147,7 @@ local routes = {
     end},
     {"GET", "/group/([%w_-]+)/repo/([%w_-]+)",
     function (req, gname, rname)
-        local user = conf.users[me]
+        local user = get_user(req.cookies)
         if not allowed(user, gname) then
             return "/login", 303
         end
@@ -145,7 +162,7 @@ local routes = {
     end},
     {"GET", "/group/([%w_-]+)/repo/([%w_-]+)/history/([%w_-]+)",
     function (req, gname, rname, first)
-        local user = conf.users[me]
+        local user = get_user(req.cookies)
         if not allowed(user, gname) then
             return "/login", 303
         end
@@ -160,7 +177,7 @@ local routes = {
     end},
     {"GET", "/group/([%w_-]+)/repo/([%w_-]+)/commit/([%w_-]+)",
     function (req, gname, rname, cid)
-        local user = conf.users[me]
+        local user = get_user(req.cookies)
         if not allowed(user, gname) then
             return "/login", 303
         end
@@ -178,7 +195,7 @@ local routes = {
     end},
     {"GET", "/group/([%w_-]+)/repo/([%w_-]+)/commit/([%w_-]+)/tree/(.*)",
     function (req, gname, rname, cid, path)
-        local user = conf.users[me]
+        local user = get_user(req.cookies)
         if not allowed(user, gname) then
             return "/login", 303
         end