Rotate the session just after login (#2483)

* Rotate the session just after login * Add pending deletion of user to admin panel * reforemat
2025-12-10 23:17:21 +08:00 · 2025-05-28 15:24:04 +02:00 · 2025-05-28 15:24:04 +02:00 · a6f389470c
commit a6f389470c
parent ee04839572
2 changed files with 11 additions and 0 deletions
--- a/app/auth/views/login_utils.py
+++ b/app/auth/views/login_utils.py
@ -1,3 +1,4 @@
+import uuid
 from time import time
 from typing import Optional

@ -33,6 +34,8 @@ def after_login(user, next_url, login_from_proton: bool = False):
                return redirect(url_for("auth.mfa"))

    LOG.d("log user %s in", user)
+    # Change session_id so that session cannot be re-used
+    session.session_id = str(uuid.uuid4())
    login_user(user)
    session["sudo_time"] = int(time())

--- a/templates/admin/email_search.html
+++ b/templates/admin/email_search.html
@ -10,6 +10,7 @@
        <th scope="col">Email</th>
        <th scope="col">Verified</th>
        <th scope="col">Status</th>
+        <th scope="col">Pending deletion</th>
        <th scope="col">Paid</th>
        <th scope="col">Premium</th>
        <th>Subscription</th>
@ -36,6 +37,12 @@
        {% else %}
          <td class="text-success">Enabled</td>
        {% endif %}
+        {% if user.delete_on %}
+
+          <td class="text-danger">{{ user.delete_on }}</td>
+        {% else %}
+          <td class="text-success">None</td>
+        {% endif %}
        <td>{{ "yes" if user.is_paid() else "No" }}</td>
        <td>{{ "yes" if user.is_premium() else "No" }}</td>
        <td>{{ user.get_active_subscription() }}</td>
@ -77,6 +84,7 @@
    </thead>
    <tbody>
      {% for mailbox in mboxes %}
+
        <tr>
          <td>{{ mailbox.id }}</td>
          <td>