From 40219f2b545db89f7183b5e02290c68d4e397b40 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lera=20Elvo=C3=A9?= <yagich@poto.cafe>
Date: Sat, 20 Dec 2025 20:11:44 +0300
Subject: [PATCH] clean stale sessions

---
 app/__init__.py     | 14 +++++++++++++-
 app/routes/users.py | 14 +++++++++++++-
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/app/__init__.py b/app/__init__.py
index 0eb4e78..0d96686 100644
--- a/app/__init__.py
+++ b/app/__init__.py
@@ -1,6 +1,6 @@
 from flask import Flask, session, request, render_template
 from dotenv import load_dotenv
-from .models import Avatars, Users, PostHistory, Posts, MOTD, BadgeUploads
+from .models import Avatars, Users, PostHistory, Posts, MOTD, BadgeUploads, Sessions
 from .auth import digest
 from .routes.users import is_logged_in, get_active_user, get_prefers_theme
 from .constants import (
@@ -138,6 +138,16 @@ def bind_default_badges(path):
                     'uploaded_at': int(os.path.getmtime(real_path)),
                 })
 
+def clear_stale_sessions():
+    from .db import db
+    with db.transaction():
+        now = int(time.time())
+        stale_sessions = Sessions.findall([
+            ('expires_at', '<', now)
+        ])
+        for sess in stale_sessions:
+            sess.delete()
+
 
 cache = Cache()
 
@@ -226,6 +236,8 @@ def create_app():
         create_admin()
         create_deleted_user()
 
+        clear_stale_sessions()
+
         reparse_babycode()
 
         bind_default_badges(app.config['BADGES_PATH'])
diff --git a/app/routes/users.py b/app/routes/users.py
index a1a6738..868e8f8 100644
--- a/app/routes/users.py
+++ b/app/routes/users.py
@@ -74,7 +74,17 @@ def validate_and_create_badge(input_image, filename):
         return False
 
 def is_logged_in():
-    return "pyrom_session_key" in session
+    if "pyrom_session_key" not in session:
+        return False
+    sess = Sessions.find({"key": session["pyrom_session_key"]})
+    if not sess:
+        return False
+    if sess.expires_at < int(time.time()):
+        session.clear()
+        sess.delete()
+        flash('Your session expired.;Please log in again.', InfoboxKind.INFO)
+        return False
+    return True
 
 
 def get_active_user():
@@ -83,6 +93,8 @@ def get_active_user():
     sess = Sessions.find({"key": session["pyrom_session_key"]})
     if not sess:
         return None
+    if sess.expires_at < int(time.time()):
+        return None
     return Users.find({"id": sess.user_id})