feat: several improvements to azlux's token auth scheme #154

1. 'auth_method' in config, where users can select between 'password' and 'token'. 2. create index for token, avoid iterating the entire user section when validating tokens. 3. only generate token for a user when there's no token for him in the db, avoid tokens fill the db.
2020-05-18 10:17:08 +08:00
parent 4017e7bff0
commit edf5495fe5
5 changed files with 64 additions and 69 deletions
--- a/command.py
+++ b/command.py
@ -1183,9 +1183,18 @@ def cmd_web_access(bot, user, text, command, parameter):
    import secrets
    import datetime
    import json
-    token = secrets.token_urlsafe(5)
-    var.db.set("user", user, json.dumps({'token': token, 'datetime': str(datetime.datetime.now()), 'IP':''}))
-    bot.send_msg(constants.strings('webpage_token',token=token), text)
+
+    user_info = var.db.get("user", user, fallback=None)
+    if user_info is not None:
+        user_dict = json.loads(user_info)
+        token = user_dict['token']
+    else:
+        token = secrets.token_urlsafe(5)
+        var.db.set("web_token", token, user)
+        var.db.set("user", user, json.dumps({'token': token, 'datetime': str(datetime.datetime.now()), 'IP': ''}))
+
+    access_address = var.config.get("webinterface", "access_address")
+    bot.send_msg(constants.strings('webpage_token', address=access_address, token=token), text)

 # Just for debug use
 def cmd_real_time_rms(bot, user, text, command, parameter):