Logout existing sessions after an auth config change

Func86 · Func86 · commit 12e1112b61d2 · 2024-09-18T00:25:38.000+08:00
Closes qbittorrent#18443
diff --git a/src/base/preferences.cpp b/src/base/preferences.cpp
@@ -657,6 +657,7 @@ void Preferences::setWebUILocalAuthEnabled(const bool enabled)
     if (enabled == isWebUILocalAuthEnabled())
         return;
 
+    m_authBypassChanged = true;
     setValue(u"Preferences/WebUI/LocalHostAuth"_s, enabled);
 }
 
@@ -670,6 +671,7 @@ void Preferences::setWebUIAuthSubnetWhitelistEnabled(const bool enabled)
     if (enabled == isWebUIAuthSubnetWhitelistEnabled())
         return;
 
+    m_authBypassChanged = true;
     setValue(u"Preferences/WebUI/AuthSubnetWhitelistEnabled"_s, enabled);
 }
 
@@ -763,6 +765,7 @@ void Preferences::setWebUIUsername(const QString &username)
     if (username == getWebUIUsername())
         return;
 
+    m_credentialsChanged = true;
     setValue(u"Preferences/WebUI/Username"_s, username);
 }
 
@@ -776,6 +779,7 @@ void Preferences::setWebUIPassword(const QByteArray &password)
     if (password == getWebUIPassword())
         return;
 
+    m_credentialsChanged = true;
     setValue(u"Preferences/WebUI/Password_PBKDF2"_s, password);
 }
 
@@ -1977,5 +1981,9 @@ void Preferences::setAddNewTorrentDialogSavePathHistoryLength(const int value)
 void Preferences::apply()
 {
     if (SettingsStorage::instance()->save())
+    {
         emit changed();
+        if (m_credentialsChanged || m_authBypassChanged)
+            emit webAuthConfigChanged(m_credentialsChanged);
+    }
 }
diff --git a/src/base/preferences.h b/src/base/preferences.h
@@ -430,7 +430,11 @@ public slots:
 
 signals:
     void changed();
+    void webAuthConfigChanged(bool credentialsChanged);
 
 private:
     static Preferences *m_instance;
+
+    bool m_credentialsChanged = false;
+    bool m_authBypassChanged = false;
 };
diff --git a/src/webui/api/authcontroller.cpp b/src/webui/api/authcontroller.cpp
@@ -81,7 +81,7 @@ void AuthController::loginAction()
     {
         m_clientFailedLogins.remove(clientAddr);
 
-        m_sessionManager->sessionStart();
+        m_sessionManager->sessionStart(true);
         setResult(u"Ok."_s);
         LogMsg(tr("WebAPI login success. IP: %1").arg(clientAddr));
     }
diff --git a/src/webui/api/isessionmanager.h b/src/webui/api/isessionmanager.h
@@ -43,6 +43,6 @@ struct ISessionManager
     virtual ~ISessionManager() = default;
     virtual QString clientId() const = 0;
     virtual ISession *session() = 0;
-    virtual void sessionStart() = 0;
+    virtual void sessionStart(bool authenticated) = 0;
     virtual void sessionEnd() = 0;
 };
diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp
@@ -170,6 +170,7 @@ WebApplication::WebApplication(IApplication *app, QObject *parent)
 
     configure();
     connect(Preferences::instance(), &Preferences::changed, this, &WebApplication::configure);
+    connect(Preferences::instance(), &Preferences::webAuthConfigChanged, this, &WebApplication::logoutExistingSessions);
 
     m_sessionCookieName = Preferences::instance()->getWebAPISessionCookieName();
     if (!isValidCookieName(m_sessionCookieName))
@@ -299,6 +300,29 @@ const Http::Environment &WebApplication::env() const
     return m_env;
 }
 
+void WebApplication::logoutExistingSessions(bool credentialsChanged)
+{
+    if (credentialsChanged)
+    {
+        qDeleteAll(m_sessions);
+	    m_sessions.clear();
+    }
+    else
+    {
+        // remove sessions which bypassed authentication
+        Algorithm::removeIf(m_sessions, [this](const QString &, const WebSession *session)
+        {
+            if (!session->isAuthenticated())
+            {
+                delete session;
+                return true;
+            }
+
+            return false;
+        });
+    }
+}
+
 void WebApplication::setUsername(const QString &username)
 {
     m_authController->setUsername(username);
@@ -677,7 +701,7 @@ void WebApplication::sessionInitialize()
     }
 
     if (!m_currentSession && !isAuthNeeded())
-        sessionStart();
+        sessionStart(false);
 }
 
 QString WebApplication::generateSid() const
@@ -710,7 +734,7 @@ bool WebApplication::isPublicAPI(const QString &scope, const QString &action) co
     return m_publicAPIs.contains(u"%1/%2"_s.arg(scope, action));
 }
 
-void WebApplication::sessionStart()
+void WebApplication::sessionStart(bool authenticated)
 {
     Q_ASSERT(!m_currentSession);
 
@@ -726,7 +750,7 @@ void WebApplication::sessionStart()
         return false;
     });
 
-    m_currentSession = new WebSession(generateSid(), app());
+    m_currentSession = new WebSession(generateSid(), app(), authenticated);
     m_sessions[m_currentSession->id()] = m_currentSession;
 
     m_currentSession->registerAPIController(u"app"_s, new AppController(app(), this));
@@ -911,9 +935,10 @@ QHostAddress WebApplication::resolveClientAddress() const
 
 // WebSession
 
-WebSession::WebSession(const QString &sid, IApplication *app)
+WebSession::WebSession(const QString &sid, IApplication *app, bool authenticated)
     : ApplicationComponent(app)
     , m_sid {sid}
+    , m_authenticated {authenticated}
 {
     updateTimestamp();
 }
@@ -935,6 +960,11 @@ void WebSession::updateTimestamp()
     m_timer.start();
 }
 
+bool WebSession::isAuthenticated() const
+{
+    return m_authenticated;
+}
+
 void WebSession::registerAPIController(const QString &scope, APIController *controller)
 {
     Q_ASSERT(controller);
diff --git a/src/webui/webapplication.h b/src/webui/webapplication.h
@@ -71,19 +71,21 @@ namespace BitTorrent
 class WebSession final : public ApplicationComponent<QObject>, public ISession
 {
 public:
-    explicit WebSession(const QString &sid, IApplication *app);
+    explicit WebSession(const QString &sid, IApplication *app, bool authenticated);
 
     QString id() const override;
 
     bool hasExpired(qint64 seconds) const;
     void updateTimestamp();
+    bool isAuthenticated() const;
 
     void registerAPIController(const QString &scope, APIController *controller);
     APIController *getAPIController(const QString &scope) const;
 
 private:
     const QString m_sid;
     QElapsedTimer m_timer;  // timestamp
+    bool m_authenticated;
     QMap<QString, APIController *> m_apiControllers;
 };
 
@@ -106,10 +108,13 @@ class WebApplication final : public ApplicationComponent<QObject>
     void setUsername(const QString &username);
     void setPasswordHash(const QByteArray &passwordHash);
 
+public slots:
+    void logoutExistingSessions(bool credentialsChanged);
+
 private:
     QString clientId() const override;
     WebSession *session() override;
-    void sessionStart() override;
+    void sessionStart(bool authenticated) override;
     void sessionEnd() override;
 
     void doProcessRequest();

Original file line number	Diff line number	Diff line change
`@@ -657,6 +657,7 @@ void Preferences::setWebUILocalAuthEnabled(const bool enabled)`
`657`	`657`	`if (enabled == isWebUILocalAuthEnabled())`
`658`	`658`	`return;`
`659`	`659`
	`660`	`+ m_authBypassChanged = true;`
`660`	`661`	`setValue(u"Preferences/WebUI/LocalHostAuth"_s, enabled);`
`661`	`662`	`}`
`662`	`663`
`@@ -670,6 +671,7 @@ void Preferences::setWebUIAuthSubnetWhitelistEnabled(const bool enabled)`
`670`	`671`	`if (enabled == isWebUIAuthSubnetWhitelistEnabled())`
`671`	`672`	`return;`
`672`	`673`
	`674`	`+ m_authBypassChanged = true;`
`673`	`675`	`setValue(u"Preferences/WebUI/AuthSubnetWhitelistEnabled"_s, enabled);`
`674`	`676`	`}`
`675`	`677`
`@@ -763,6 +765,7 @@ void Preferences::setWebUIUsername(const QString &username)`
`763`	`765`	`if (username == getWebUIUsername())`
`764`	`766`	`return;`
`765`	`767`
	`768`	`+ m_credentialsChanged = true;`
`766`	`769`	`setValue(u"Preferences/WebUI/Username"_s, username);`
`767`	`770`	`}`
`768`	`771`
`@@ -776,6 +779,7 @@ void Preferences::setWebUIPassword(const QByteArray &password)`
`776`	`779`	`if (password == getWebUIPassword())`
`777`	`780`	`return;`
`778`	`781`
	`782`	`+ m_credentialsChanged = true;`
`779`	`783`	`setValue(u"Preferences/WebUI/Password_PBKDF2"_s, password);`
`780`	`784`	`}`
`781`	`785`
`@@ -1977,5 +1981,9 @@ void Preferences::setAddNewTorrentDialogSavePathHistoryLength(const int value)`
`1977`	`1981`	`void Preferences::apply()`
`1978`	`1982`	`{`
`1979`	`1983`	`if (SettingsStorage::instance()->save())`
	`1984`	`+ {`
`1980`	`1985`	`emit changed();`
	`1986`	`+ if (m_credentialsChanged \|\| m_authBypassChanged)`
	`1987`	`+ emit webAuthConfigChanged(m_credentialsChanged);`
	`1988`	`+ }`
`1981`	`1989`	`}`
Original file line number	Diff line number	Diff line change
`@@ -81,7 +81,7 @@ void AuthController::loginAction()`
`81`	`81`	`{`
`82`	`82`	`m_clientFailedLogins.remove(clientAddr);`
`83`	`83`
`84`		`- m_sessionManager->sessionStart();`
	`84`	`+ m_sessionManager->sessionStart(true);`
`85`	`85`	`setResult(u"Ok."_s);`
`86`	`86`	`LogMsg(tr("WebAPI login success. IP: %1").arg(clientAddr));`
`87`	`87`	`}`