From 2406fc4efeade10fa9836cf43dbc720d128a3ca1 Mon Sep 17 00:00:00 2001 From: Daniel Friesel Date: Fri, 3 Mar 2023 15:05:43 +0100 Subject: token: do not expose full checkin timestamp --- lib/Travelynx/Controller/Traveling.pm | 4 ++-- templates/_checked_in.html.ep | 2 +- templates/journey.html.ep | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/Travelynx/Controller/Traveling.pm b/lib/Travelynx/Controller/Traveling.pm index fcc95ed..8cf1722 100755 --- a/lib/Travelynx/Controller/Traveling.pm +++ b/lib/Travelynx/Controller/Traveling.pm @@ -471,7 +471,7 @@ sub status_token_ok { $ts2 //= $ts2_ext; if ( $eva == $status->{dep_eva} - and $ts == $status->{timestamp}->epoch + and $ts == $status->{timestamp}->epoch % 337 and $ts2 == $status->{sched_departure}->epoch ) { return 1; @@ -491,7 +491,7 @@ sub journey_token_ok { $ts2 //= $ts2_ext; if ( $eva == $journey->{from_eva} - and $ts == $journey->{checkin_ts} + and $ts == $journey->{checkin_ts} % 337 and $ts2 == $journey->{sched_dep_ts} ) { return 1; diff --git a/templates/_checked_in.html.ep b/templates/_checked_in.html.ep index 8e1fd1d..0ead240 100644 --- a/templates/_checked_in.html.ep +++ b/templates/_checked_in.html.ep @@ -286,7 +286,7 @@ data-url="<%= url_for('/status')->to_abs->scheme('https') %>/<%= $user->{name} %>/<%= $journey->{sched_departure}->epoch %>" % } % elsif ($journey_visibility eq 'travelynx' or $journey_visibility eq 'unlisted') { - data-url="<%= url_for('/status')->to_abs->scheme('https') %>/<%= $user->{name} %>/<%= $journey->{sched_departure}->epoch %>?token=<%= $journey->{dep_eva} %>-<%= $journey->{timestamp}->epoch %>" + data-url="<%= url_for('/status')->to_abs->scheme('https') %>/<%= $user->{name} %>/<%= $journey->{sched_departure}->epoch %>?token=<%= $journey->{dep_eva} %>-<%= $journey->{timestamp}->epoch % 337 %>" % } > Teilen diff --git a/templates/journey.html.ep b/templates/journey.html.ep index ee5d008..6ed204f 100644 --- a/templates/journey.html.ep +++ b/templates/journey.html.ep @@ -250,7 +250,7 @@ data-url="<%= url_for('public_journey', name => current_user()->{name}, id => $journey->{id} )->to_abs->scheme('https'); %>" % } % else { - data-url="<%= url_for('public_journey', name => current_user()->{name}, id => $journey->{id} )->to_abs->scheme('https'); %>?token=<%= $journey->{from_eva} %>-<%= $journey->{checkin_ts} %>-<%= $journey->{sched_dep_ts} %>" + data-url="<%= url_for('public_journey', name => current_user()->{name}, id => $journey->{id} )->to_abs->scheme('https'); %>?token=<%= $journey->{from_eva} %>-<%= $journey->{checkin_ts} % 337 %>-<%= $journey->{sched_dep_ts} %>" % } data-text="<%= stash('share_text') %>" > -- cgit v1.2.3