From patchwork Wed Jul 29 11:46:10 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Fr=C3=A9d=C3=A9ric_Mangano-Tarumi?=
 <fmang@mg0.fr>
X-Patchwork-Id: 1736
Return-Path: <aur-dev-bounces@archlinux.org>
Delivered-To: patchwork@archlinux.org
Received: from apollo.archlinux.org (localhost [127.0.0.1])
	by apollo.archlinux.org (Postfix) with ESMTP id 3BF1F1A37AC9B
	for <patchwork@archlinux.org>; Wed, 29 Jul 2020 11:46:20 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 apollo.archlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED=0.1,
	DKIM_VALID=-0.1,DKIM_VALID_AU=-0.1,MAILING_LIST_MULTI=-1,
	RCVD_IN_DNSWL_MED=-2.3,RCVD_IN_MSPIKE_H4=-0.01,RCVD_IN_MSPIKE_WL=-0.01,
	SPF_HELO_NONE=0.001,T_DMARC_POLICY_NONE=0.01 autolearn=ham
	autolearn_force=no version=3.4.4
X-Spam-BL-Results: <dns:70.91.198.88.list.dnswl.org> [127.0.9.2]
	<dns:70.91.198.88.wl.mailspike.net> [127.0.0.19]
Received: from orion.archlinux.org (orion.archlinux.org [88.198.91.70])
	by apollo.archlinux.org (Postfix) with ESMTPS
	for <patchwork@archlinux.org>; Wed, 29 Jul 2020 11:46:20 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
	by orion.archlinux.org (Postfix) with ESMTP id 890071D3637AEC;
	Wed, 29 Jul 2020 11:46:18 +0000 (UTC)
Received: from luna.archlinux.org (luna.archlinux.org [5.9.250.164])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits)
 server-digest SHA256)
	(No client certificate requested)
	(Authenticated sender: luna)
	by orion.archlinux.org (Postfix) with ESMTPSA id 29DA71D3637AE6;
	Wed, 29 Jul 2020 11:46:18 +0000 (UTC)
Authentication-Results: orion.archlinux.org;
	dkim=pass (1024-bit key) header.d=mg0.fr header.i=@mg0.fr header.b=EQLClrAJ
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
	by luna.archlinux.org (Postfix) with ESMTP id F3A4929CAC;
	Wed, 29 Jul 2020 11:46:17 +0000 (UTC)
Authentication-Results: luna.archlinux.org;
	dkim=pass (1024-bit key) header.d=mg0.fr header.i=@mg0.fr header.b=EQLClrAJ
Received: from luna.archlinux.org (luna.archlinux.org [127.0.0.1])
 by luna.archlinux.org (Postfix) with ESMTP id 9444A29CAB
 for <aur-dev@lists.archlinux.org>; Wed, 29 Jul 2020 11:46:13 +0000 (UTC)
Received: from orion.archlinux.org (orion.archlinux.org
 [IPv6:2a01:4f8:160:6087::1])
 by luna.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@lists.archlinux.org>; Wed, 29 Jul 2020 11:46:13 +0000 (UTC)
Received: from orion.archlinux.org (localhost [127.0.0.1])
 by orion.archlinux.org (Postfix) with ESMTP id D697E1D3637AE1
 for <aur-dev@archlinux.org>; Wed, 29 Jul 2020 11:46:11 +0000 (UTC)
Received: from tsubame.mg0.fr (tsubame.mg0.fr [IPv6:2001:41d0:401:3100::402b])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange ECDHE (P-384) server-signature RSA-PSS (4096 bits) server-digest
 SHA256) (No client certificate requested)
 by orion.archlinux.org (Postfix) with ESMTPS
 for <aur-dev@archlinux.org>; Wed, 29 Jul 2020 11:46:11 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=mg0.fr;
 s=tsubame; h=Message-ID:Subject:To:From:Date:cc;
 bh=IJ1QHpDzFpVpiArta0y9bQnOrPO7QThFZBctgyoGmjI=; b=EQLClrAJCi8GTumv0oJLT/CIiA
 p9PoyjwbDw6KS54k6x4AEvkaFKkQOC846EdyerrCGM1IVewEFTWw6xyJEkcW3VbgZbm9TCJVA9wyw
 wkFwtd1rcQYAR541B5emE7Vw43F2ezzZRvljJFckgTs3Gt9e4EuY2GcAvvwt13BhdmcM=;
Received: from fmang by tsubame.mg0.fr with local (Exim 4.94)
 (envelope-from <fmang@mg0.fr>) id 1k0kXC-002i6u-5a
 for aur-dev@archlinux.org; Wed, 29 Jul 2020 13:46:10 +0200
Date: Wed, 29 Jul 2020 13:46:10 +0200
From: =?utf-8?b?RnLDqWTDqXJpYw==?= Mangano-Tarumi <fmang@mg0.fr>
To: aur-dev@archlinux.org
Subject: [PATCH] Remove the per-user session limit
Message-ID: <20200729114610.GA646215@tsubame.mg0.fr>
MIME-Version: 1.0
Content-Disposition: inline
X-BeenThere: aur-dev@archlinux.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: "Arch User Repository \(AUR\) Development" <aur-dev.archlinux.org>
List-Unsubscribe: <https://lists.archlinux.org/options/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=unsubscribe>
List-Archive: <https://lists.archlinux.org/pipermail/aur-dev/>
List-Post: <mailto:aur-dev@archlinux.org>
List-Help: <mailto:aur-dev-request@archlinux.org?subject=help>
List-Subscribe: <https://lists.archlinux.org/listinfo/aur-dev>,
 <mailto:aur-dev-request@archlinux.org?subject=subscribe>
Errors-To: aur-dev-bounces@archlinux.org
Sender: "aur-dev" <aur-dev-bounces@archlinux.org>

This feature was originally introduced by
f961ffd9c7f2d3d51d3e3b060990a4fef9e56c1b as a fix for FS#12898
<https://bugs.archlinux.org/task/12898>.

As of today, it is broken because of the `q.SessionID IS NULL` condition
in the WHERE clause, which can’t be true because SessionID is not
nullable. As a consequence, the session limit was not applied.

The fact the absence of the session limit hasn’t caused any issue so
far, and hadn’t even been noticed, suggests the feature is unneeded.
---
 aurweb/routers/sso.py     |  2 +-
 conf/config.defaults      |  1 -
 web/lib/acctfuncs.inc.php | 17 -----------------
 3 files changed, 1 insertion(+), 19 deletions(-)

diff --git a/aurweb/routers/sso.py b/aurweb/routers/sso.py
index 2e4fbacc..73c884a4 100644
--- a/aurweb/routers/sso.py
+++ b/aurweb/routers/sso.py
@@ -56,7 +56,7 @@ def open_session(request, conn, user_id):
         raise HTTPException(status_code=403, detail=_('Account suspended'))
         # TODO This is a terrible message because it could imply the attempt at
         #      logging in just caused the suspension.
-    # TODO apply [options] max_sessions_per_user
+
     sid = uuid.uuid4().hex
     conn.execute(Sessions.insert().values(
         UsersID=user_id,
diff --git a/conf/config.defaults b/conf/config.defaults
index 49259754..98e033b7 100644
--- a/conf/config.defaults
+++ b/conf/config.defaults
@@ -13,7 +13,6 @@ passwd_min_len = 8
 default_lang = en
 default_timezone = UTC
 sql_debug = 0
-max_sessions_per_user = 8
 login_timeout = 7200
 persistent_cookie_timeout = 2592000
 max_filesize_uncompressed = 8388608
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index ebabb840..bc603d3b 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -596,23 +596,6 @@ function try_login() {
 
 	/* Generate a session ID and store it. */
 	while (!$logged_in && $num_tries < 5) {
-		$session_limit = config_get_int('options', 'max_sessions_per_user');
-		if ($session_limit) {
-			/*
-			 * Delete all user sessions except the
-			 * last ($session_limit - 1).
-			 */
-			$q = "DELETE s.* FROM Sessions s ";
-			$q.= "LEFT JOIN (SELECT SessionID FROM Sessions ";
-			$q.= "WHERE UsersId = " . $userID . " ";
-			$q.= "ORDER BY LastUpdateTS DESC ";
-			$q.= "LIMIT " . ($session_limit - 1) . ") q ";
-			$q.= "ON s.SessionID = q.SessionID ";
-			$q.= "WHERE s.UsersId = " . $userID . " ";
-			$q.= "AND q.SessionID IS NULL;";
-			$dbh->query($q);
-		}
-
 		$new_sid = new_sid();
 		$q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)"
 		  ." VALUES (" . $userID . ", '" . $new_sid . "', " . strval(time()) . ")";