Allow users to terminate login sessions

Summary: This is partly a good feature, and partly should reduce false positives on HackerOne reporting things vaguely related to this. Allow a user to terminate login sessions from the settings panel. Test Plan: - Terminated a session. - Terminated all sessions. - Tried to terminate all sessions again. - Logged in with two browsers, terminated the other browser's session, reloaded, got kicked out. Reviewers: btrahan Reviewed By: btrahan Subscribers: epriestley Differential Revision: https://secure.phabricator.com/D8556
2014-03-17 15:02:01 -07:00
parent 38cc38eaf6
commit aea624118b
5 changed files with 131 additions and 3 deletions
--- a/src/applications/auth/controller/PhabricatorAuthTerminateSessionController.php
+++ b/src/applications/auth/controller/PhabricatorAuthTerminateSessionController.php
@@ -0,0 +1,83 @@
+<?php
+
+final class PhabricatorAuthTerminateSessionController
+  extends PhabricatorAuthController {
+
+  private $id;
+
+  public function willProcessRequest(array $data) {
+    $this->id = $data['id'];
+  }
+
+  public function processRequest() {
+    $request = $this->getRequest();
+    $viewer = $request->getUser();
+
+    $is_all = ($this->id === 'all');
+
+    $query = id(new PhabricatorAuthSessionQuery())
+      ->setViewer($viewer)
+      ->withIdentityPHIDs(array($viewer->getPHID()));
+    if (!$is_all) {
+      $query->withIDs(array($this->id));
+    }
+
+    $current_key = PhabricatorHash::digest(
+      $request->getCookie(PhabricatorCookies::COOKIE_SESSION));
+
+    $sessions = $query->execute();
+    foreach ($sessions as $key => $session) {
+      if ($session->getSessionKey() == $current_key) {
+        // Don't terminate the current login session.
+        unset($sessions[$key]);
+      }
+    }
+
+    $panel_uri = '/settings/panel/sessions/';
+
+    if (!$sessions) {
+      $dialog = id(new AphrontDialogView())
+        ->setUser($viewer)
+        ->setTitle(pht('No Matching Sessions'))
+        ->appendParagraph(
+          pht('There are no matching sessions to terminate.'))
+        ->appendParagraph(
+          pht(
+            '(You can not terminate your current login session. To '.
+            'terminate it, log out.)'))
+        ->addCancelButton($panel_uri);
+
+      return id(new AphrontDialogResponse())->setDialog($dialog);
+    }
+
+    if ($request->isDialogFormPost()) {
+      foreach ($sessions as $session) {
+        $session->delete();
+      }
+      return id(new AphrontRedirectResponse())->setURI($panel_uri);
+    }
+
+    if ($is_all) {
+      $title = pht('Terminate Sessions?');
+      $body = pht(
+        'Really terminate all sessions? (Your current login session will '.
+        'not be terminated.)');
+    } else {
+      $title = pht('Terminate Session?');
+      $body = pht(
+        'Really terminate session %s?',
+        phutil_tag('strong', array(), substr($session->getSessionKey(), 0, 6)));
+    }
+
+    $dialog = id(new AphrontDialogView())
+      ->setUser($viewer)
+      ->setTitle($title)
+      ->appendParagraph($body)
+      ->addSubmitButton(pht('Terminate'))
+      ->addCancelButton($panel_uri);
+
+    return id(new AphrontDialogResponse())->setDialog($dialog);
+  }
+
+
+}