From 2211e8d1cd6eb97a8a04e24c1fea7031a201edb5 Mon Sep 17 00:00:00 2001
From: Sorin Davidoi <sorin.davidoi@gmail.com>
Date: Fri, 23 Jun 2017 18:50:53 +0200
Subject: Revocable sessions (#3616)

* feat: Revocable sessions

* fix: Tests using sign_in

* feat: Configuration entry for the maximum number of session activations
---
 app/models/session_activation.rb | 38 ++++++++++++++++++++++++++++++++++++++
 app/models/user.rb               | 14 ++++++++++++++
 2 files changed, 52 insertions(+)
 create mode 100644 app/models/session_activation.rb

(limited to 'app/models')

diff --git a/app/models/session_activation.rb b/app/models/session_activation.rb
new file mode 100644
index 000000000..71e9f023c
--- /dev/null
+++ b/app/models/session_activation.rb
@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+# == Schema Information
+#
+# Table name: session_activations
+#
+#  id         :integer          not null, primary key
+#  user_id    :integer          not null
+#  session_id :string           not null
+#  created_at :datetime         not null
+#  updated_at :datetime         not null
+#
+
+class SessionActivation < ApplicationRecord
+  LIMIT = Rails.configuration.x.max_session_activations
+
+  def self.active?(id)
+    id && where(session_id: id).exists?
+  end
+
+  def self.activate(id)
+    activation = create!(session_id: id)
+    purge_old
+    activation
+  end
+
+  def self.deactivate(id)
+    return unless id
+    where(session_id: id).destroy_all
+  end
+
+  def self.purge_old
+    order('created_at desc').offset(LIMIT).destroy_all
+  end
+
+  def self.exclusive(id)
+    where('session_id != ?', id).destroy_all
+  end
+end
diff --git a/app/models/user.rb b/app/models/user.rb
index ca11f2f5d..fccf1089b 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -63,6 +63,8 @@ class User < ApplicationRecord
   # handle this itself, and this can be removed from our User class.
   attribute :otp_secret
 
+  has_many :session_activations, dependent: :destroy
+
   def confirmed?
     confirmed_at.present?
   end
@@ -89,6 +91,18 @@ class User < ApplicationRecord
     settings.auto_play_gif
   end
 
+  def activate_session
+    session_activations.activate(SecureRandom.hex).session_id
+  end
+
+  def exclusive_session(id)
+    session_activations.exclusive(id)
+  end
+
+  def session_active?(id)
+    session_activations.active? id
+  end
+
   protected
 
   def send_devise_notification(notification, *args)
-- 
cgit