From 62a115b56ef038e2f531d8f8582cc1982f006d47 Mon Sep 17 00:00:00 2001
From: Terry Geng <terry@terriex.com>
Date: Mon, 18 May 2020 13:30:18 +0800
Subject: [PATCH] feat: record IP. refresh cookie if new token is provided

---
 command.py   |  3 ++-
 interface.py | 18 ++++++++++++------
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/command.py b/command.py
index ddd41e3..dcf4da3 100644
--- a/command.py
+++ b/command.py
@@ -1191,7 +1191,8 @@ def cmd_web_access(bot, user, text, command, parameter):
     else:
         token = secrets.token_urlsafe(5)
         var.db.set("web_token", token, user)
-        var.db.set("user", user, json.dumps({'token': token, 'datetime': str(datetime.datetime.now()), 'IP': ''}))
+
+    var.db.set("user", user, json.dumps({'token': token, 'datetime': str(datetime.datetime.now()), 'IP': ''}))
 
     access_address = var.config.get("webinterface", "access_address")
     bot.send_msg(constants.strings('webpage_token', address=access_address, token=token), text)
diff --git a/interface.py b/interface.py
index c5c5de9..21547d7 100644
--- a/interface.py
+++ b/interface.py
@@ -105,26 +105,32 @@ def requires_auth(f):
             if var.config.getboolean("webinterface", "require_auth") and (
                     not auth or not check_auth(auth.username, auth.password)):
                 if auth:
-                    log.warning("web: failed login attempt, user: %s" % auth.username)
+                    log.warning(f"web: failed login attempt, user: {auth.username}, from ip {request.remote_addr}.")
                 return authenticate()
         if auth_method == 'token':
-            if 'token' in session:
+            if 'token' in session and 'token' not in request.args:
                 token = session['token']
                 token_user = var.db.get("web_token", token, fallback=None)
                 if token_user is not None:
                     user = token_user
-                    log.debug(f"web: token validated for the user: {token_user}")
+                    log.debug(f"web: token validated for the user: {token_user}, from ip {request.remote_addr}.")
                     return f(*args, **kwargs)
-            else:
+            elif 'token' in request.args:
                 token = request.args.get('token')
                 token_user = var.db.get("web_token", token, fallback=None)
                 if token_user is not None:
                     user = token_user
-                    log.info(f"web: new user access, token validated for the user: {token_user}")
+
+                    user_info = var.db.get("user", user, fallback=None)
+                    user_dict = json.loads(user_info)
+                    user_dict['IP'] = request.remote_addr
+                    var.db.set("user", user, json.dumps(user_dict))
+
+                    log.info(f"web: new user access, token validated for the user: {token_user}, from ip {request.remote_addr}.")
                     session['token'] = token
                     return f(*args, **kwargs)
 
-            log.info(f"web: bad token used: {token}")
+            log.info(f"web: bad token used: {token}, from ip {request.remote_addr}.")
             abort(403)
 
         return f(*args, **kwargs)