bakert
commented
2 years ago We possibly want to store the refresh token and re-check with Discord's OAuth if session is older than N hours (minutes?) old.
Open vorpal-buildbot opened 4 years ago
bakert
commented
2 years ago We possibly want to store the refresh token and re-check with Discord's OAuth if session is older than N hours (minutes?) old.
bakert
commented
5 months ago I have set up a rather hacky way to revoke admin or demimod privileges (or set them!)
You make an entry in decksite's permission_changes table with NULL, 'admin' or 'demimod' alongside the discord id you want to revoke or grant privileges to.
Because folks might be logged in in multiple locations we're just doing this check on every page load forever which sucks pretty bad.
The right fix here is something like:
This is a bit more complicated than it sounds (and it sounds a little complicated) because the auth stuff is very shared_web and not very decksite. It needs to mostly be migrated to decksite if it's going to use a table in decksite's db to track all this. And we do just reach into the session cookie and do things in quite a few places including when logging any github ticket (but we do check flask.request is not None first to avoid runtime errors). So we'd need to work out a sensible way for those parts of the code to ask for auth info. Or maybe just exempt them from going through wrapper code and let them look in the session. Anyway, you get the idea, it's not totally straightforward. But it would be good to get this ship shape.
Reported on Discord by bakert#2193