Several changes:

RockinRoel · RockinRoel · commit fcbbd8338e29 · 2019-05-03T10:08:52.000+02:00
- Fix issue #7028: make sure to update the offset for subsequent query fields + test cases
 - wt_config.xml.in: extBaseURL has no use in Wt 4 anymore
 - Restore accidental conversions to StandardColor back (in docs)
 - WFileDropWidget: remove UpdateLock taking in JWt
 - explicit bool operators for safe bool conversion in:
   - observing_ptr
   - WApplication::UpdateLock
diff --git a/src/Wt/Auth/AuthModel.C b/src/Wt/Auth/AuthModel.C
@@ -236,14 +236,17 @@ User AuthModel::processAuthToken()
       AuthTokenResult result = baseAuth()->processAuthToken(*token, users());
 
       switch(result.state()) {
-      case AuthTokenState::Valid:
-	/*
-	 * Only extend the validity from what we had currently.
-	 */
-	app->setCookie(baseAuth()->authTokenCookieName(), result.newToken(),
-		       result.newTokenValidity(), "", "", app->environment().urlScheme() == "https");
+      case AuthTokenState::Valid: {
+        if (!result.newToken().empty()) {
+          /*
+           * Only extend the validity from what we had currently.
+           */
+          app->setCookie(baseAuth()->authTokenCookieName(), result.newToken(),
+                         result.newTokenValidity(), "", "", app->environment().urlScheme() == "https");
+        }
 
 	return result.user();
+      }
       case AuthTokenState::Invalid:
         app->setCookie(baseAuth()->authTokenCookieName(),std::string(), 0, "", "", app->environment().urlScheme() == "https");
 
diff --git a/src/Wt/Auth/AuthService.C b/src/Wt/Auth/AuthService.C
@@ -128,6 +128,7 @@ AuthService::AuthService()
     emailVerification_(false),
     emailTokenValidity_(3 * 24 * 60),  // three days
     authTokens_(false),
+    authTokenUpdateEnabled_(true),
     authTokenValidity_(14 * 24 * 60)   // two weeks
 {
   redirectInternalPath_ = "/auth/mail/";
@@ -254,26 +255,31 @@ AuthTokenResult AuthService::processAuthToken(const std::string& token,
   User user = users.findWithAuthToken(hash);
 
   if (user.isValid()) {
-    std::string newToken = WRandom::generateId(tokenLength_);
-    std::string newHash = tokenHashFunction()->compute(newToken, std::string());
-    int validity = user.updateAuthToken(hash, newHash);
-
-    if (validity < 0) {
-      /*
-       * Old API, this is bad since we always extend the lifetime of the
-       * token.
-       */
-      user.removeAuthToken(hash);
-      newToken = createAuthToken(user);
-      validity = authTokenValidity_ * 60;
-    }
+    if (authTokenUpdateEnabled_) {
+      std::string newToken = WRandom::generateId(tokenLength_);
+      std::string newHash = tokenHashFunction()->compute(newToken, std::string());
+      int validity = user.updateAuthToken(hash, newHash);
+
+      if (validity < 0) {
+        /*
+         * Old API, this is bad since we always extend the lifetime of the
+         * token.
+         */
+        user.removeAuthToken(hash);
+        newToken = createAuthToken(user);
+        validity = authTokenValidity_ * 60;
+      }
 
-    if (t.get()) t->commit();
+      if (t.get())
+        t->commit();
 
-    return AuthTokenResult(AuthTokenState::Valid, 
-			   user, newToken, validity);
+      return AuthTokenResult(AuthTokenState::Valid, user, newToken, validity);
+    } else {
+      return AuthTokenResult(AuthTokenState::Valid, user);
+    }
   } else {
-    if (t.get()) t->commit();
+    if (t.get())
+      t->commit();
     
     return AuthTokenResult(AuthTokenState::Invalid);
   }
diff --git a/src/Wt/Auth/AuthService.h b/src/Wt/Auth/AuthService.h
@@ -192,8 +192,8 @@ class WT_API AuthTokenResult
 
   /*! \brief Returns a new token for this user.
    *
-   * An authentication token can be used only once, and needs to be
-   * replaced by a new token.
+   * Returns the empty string if there is no new token. See
+   * AuthService::authTokenUpdateEnabled().
    *
    * The returned token is valid only if the state() == AuthTokenState::Valid.
    */
@@ -203,6 +203,8 @@ class WT_API AuthTokenResult
    *
    * This returns the token validity in seconds.
    *
+   * Returns -1 if there is no new token, or result() != Valid.
+   *
    * \sa newToken()
    */
   int newTokenValidity() const;
@@ -331,6 +333,32 @@ class WT_API AuthService
    */
   bool authTokensEnabled() const { return authTokens_; }
 
+  /*! \brief Set whether processAuthToken() updates the auth token
+   *
+   * If this option is enabled, processAuthToken() will replace the auth token
+   * with a new token. This is a bit more secure, because an auth token can
+   * only be used once. This is enabled by default.
+   *
+   * However, this means that if a user concurrently opens multiple sessions within
+   * the same browsers (e.g. multiple tabs being restored at the same time)
+   * or refreshes before they receive the new cookie, the user will be logged out,
+   * unless the AbstractUserDatabase implementation takes this into account
+   * (e.g. keeps the old token valid for a little bit longer)
+   *
+   * The default Dbo UserDatabase does not handle concurrent token updates well,
+   * so disable this option if you want to prevent that issue.
+   *
+   * \sa processAuthToken()
+   * \sa authTokenUpdateEnabled()
+   */
+  void setAuthTokenUpdateEnabled(bool enabled) { authTokenUpdateEnabled_ = enabled; }
+
+  /*! \brief Returns whether the auth token is updated
+   *
+   * \sa setAuthTokenUpdateEnabled()
+   */
+  bool authTokenUpdateEnabled() const { return authTokenUpdateEnabled_; }
+
   /*! \brief Returns the authentication token cookie name.
    *
    * This is the default cookie name used for storing the authentication
@@ -380,8 +408,11 @@ class WT_API AuthService
   /*! \brief Processes an authentication token.
    *
    * This verifies an authentication token, and considers whether it matches
-   * with a token hash value stored in database. If it matches, the token
-   * is removed and a new token is created for the identified user.
+   * with a token hash value stored in database. If it matches and auth token
+   * update is enabled, the token is updated with a new hash.
+   *
+   * \sa setAuthTokenUpdateEnabled()
+   * \sa AbstractUserDatabase::updateAuthToken()
    */
   virtual AuthTokenResult processAuthToken(const std::string& token,
 					   AbstractUserDatabase& users) const;
@@ -585,6 +616,7 @@ class WT_API AuthService
   std::string redirectInternalPath_;
 
   bool authTokens_;
+  bool authTokenUpdateEnabled_;
   int authTokenValidity_;  // minutes
   std::string authTokenCookieName_;
   std::string authTokenCookieDomain_;
diff --git a/src/Wt/Chart/WAbstractGridData.C b/src/Wt/Chart/WAbstractGridData.C
@@ -1731,7 +1731,7 @@ void WAbstractGridData::paintGLIndex(unsigned index, double marginX, double marg
 
     // Encoding the index as a color value.
     //
-    // Since StandardColor::White is the clear color of the index texture,
+    // Since white is the clear color of the index texture,
     // this allows for 16777215 meshes. That should be enough,
     // or is even a tad excessive.
     float r = ((index >> 16) & 0xff) / 255.0f;
diff --git a/src/Wt/Chart/WAbstractGridData.h b/src/Wt/Chart/WAbstractGridData.h
@@ -120,7 +120,7 @@ class WT_API WAbstractGridData : public WAbstractDataSeries3D {
   /*! \brief Sets the WPen that is used for drawing the mesh.
    *
    * Used when drawing the mesh on a surface or the lines around bars. The
-   * default is a default constructed WPen (StandardColor::Black and one pixel wide).
+   * default is a default constructed WPen (black and one pixel wide).
    *
    * Note: only the width and color of this WPen are used.
    *
diff --git a/src/Wt/Core/observing_ptr.hpp b/src/Wt/Core/observing_ptr.hpp
@@ -116,7 +116,7 @@ class observing_ptr
    * Returns if the pointer does not point to \c null and the pointed
    * object isn't deleted.
    */
-  operator bool() const noexcept;
+  explicit operator bool() const noexcept;
 
   /*! \brief Returns whether the observed object has been deleted.
    *
diff --git a/src/Wt/Dbo/Query.C b/src/Wt/Dbo/Query.C
@@ -194,7 +194,7 @@ std::string createQueryCountSql(const std::string& query,
 void substituteFields(const SelectFieldList& list,
 		      const std::vector<FieldInfo>& fs,
 		      std::string& sql,
-		      int offset)
+                      int& offset)
 {
   for (unsigned i = 0, j = 0; j < list.size(); ++j) {
     if (fs[i].isFirstDboField()) {
diff --git a/src/Wt/Dbo/Query_impl.h b/src/Wt/Dbo/Query_impl.h
@@ -52,7 +52,7 @@ extern void WTDBO_API
 substituteFields(const SelectFieldList& list,
 		 const std::vector<FieldInfo>& fs,
 		 std::string& sql,
-		 int offset);
+                 int& offset);
 
 extern void WTDBO_API 
 parseSql(const std::string& sql, SelectFieldLists& fieldLists);
diff --git a/src/Wt/Render/LayoutBox.h b/src/Wt/Render/LayoutBox.h
@@ -27,7 +27,7 @@ struct InlineBox : public LayoutBox
 
   int utf8Pos, utf8Count;
 
-  // minimum width of StandardColor::White space contained in this linebox.
+  // minimum width of whitespace contained in this linebox.
   double whitespaceWidth;
   int whitespaceCount;
 
diff --git a/src/Wt/Render/Line.C b/src/Wt/Render/Line.C
@@ -166,7 +166,7 @@ void Line::finish(AlignmentFlag textAlign,
   Range rangeX(minX, maxX);
   Block::adjustAvailableWidth(y_, page_, floats, rangeX);
   
-  /* Compute total width and total StandardColor::White space width */
+  /* Compute total width and total whitespace width */
   double whitespace = 0;
   double content = 0;
 
diff --git a/src/Wt/Render/WTextRenderer.h b/src/Wt/Render/WTextRenderer.h
@@ -55,8 +55,8 @@ struct LayoutBox;
  * - only "display: inline" or "display: block" elements are supported.
  *   "display: none" and "display: inline-block" are not (yet) recognized. 
  * - only colors defined in terms of RGB values are supported: CSS named colors
- *   (e.g. 'StandardColor::Blue') are not allowed.
- * - Bidi (Side::Right-to-Side::Left) text rendering is not supported
+ *   (e.g. 'blue') are not allowed.
+ * - Bidi (Right-to-Left) text rendering is not supported
  *
  * The renderer is not CSS compliant (simply because it is still lacking
  * alot of features), but the subset of CSS that is supported is a pragmatic
diff --git a/src/Wt/WApplication.h b/src/Wt/WApplication.h
@@ -1312,7 +1312,7 @@ class WT_API WApplication : public WObject
      * finalizer/destructor has run to notify helper threads that the
      * application is destroyed).
      */
-    operator bool() const { return ok_; }
+    explicit operator bool() const { return ok_; }
 
     /*! \brief Releases the lock.
      */
diff --git a/src/Wt/WFileDropWidget.C b/src/Wt/WFileDropWidget.C
@@ -46,11 +46,17 @@ protected:
   virtual void handleRequest(const Http::Request &request,
 			     Http::Response &response) override
   {
+    // In JWt we still have the update lock
 #ifndef WT_TARGET_JAVA
+    /**
+     * Taking the update-lock (rather than posting to the event loop):
+     *   - guarantee that the updates to WFileDropWidget happen immediately, 
+     *     before any application-code is called by the finished upload.
+     *   - only Wt-code is executed within this lock
+     */
     WApplication::UpdateLock lock(WApplication::instance());
-#else
-    WApplication::UpdateLock lock = WApplication::instance()->getUpdateLock();
-#endif
+#endif // WT_TARGET_JAVA
+
     const std::string *fileId = request.getParameter("file-id");
     if (fileId == 0 || (*fileId).empty()) {
       response.setStatus(404);
@@ -85,9 +91,6 @@ protected:
     }
 
     response.setMimeType("text/plain"); // else firefox complains
-#ifdef WT_TARGET_JAVA
-    lock.release();
-#endif
   }
 
 private:
diff --git a/src/Wt/WInPlaceEdit.h b/src/Wt/WInPlaceEdit.h
@@ -59,7 +59,7 @@ class WPushButton;
  * CSS stylesheet:
  * \code
  * .inplace span:hover {
- *    background-color: StandardColor::Gray;
+ *    background-color: gray;
  * }
  * \endcode
  */
diff --git a/src/Wt/WLocalizedStrings.h b/src/Wt/WLocalizedStrings.h
@@ -51,9 +51,9 @@ struct LocalizedString
   bool success;
 
 #ifndef WT_TARGET_JAVA
-  /*! \brief Implicit bool conversion, for checking success.
+  /*! \brief Bool conversion, for checking success.
    */
-  inline operator bool() const { return success; }
+  explicit inline operator bool() const { return success; }
   inline bool operator!() const { return !success; }
 #endif // WT_TARGET_JAVA
 };
diff --git a/src/Wt/WMenuItem.h b/src/Wt/WMenuItem.h
@@ -128,7 +128,7 @@ class WT_API WMenuItem : public WContainerWidget
    * \link WString::literal() literal text\endlink is used, the path
    * is based on the text itself, otherwise on the \link
    * WString::key() key\endlink. It is converted to lower case, and
-   * replacing StandardColor::White space and special characters with '_'.
+   * replacing whitespace and special characters with '_'.
    *
    * \sa setText(), WMenu::setInternalPathEnabled()
    *
diff --git a/src/Wt/WPainter.h b/src/Wt/WPainter.h
@@ -690,7 +690,7 @@ class WT_API WPainter
    * The shadow effect is applied to all things drawn (paths, text and images).
    *
    * \note With the VML backend (IE), the shadow is not applied to images,
-   *       and the shadow color is always StandardColor::Black; only the opacity (alpha)
+   *       and the shadow color is always black; only the opacity (alpha)
    *       channel is taken into account.
    * \sa LowQualityShadows
    */
diff --git a/src/Wt/WPen.h b/src/Wt/WPen.h
@@ -55,17 +55,17 @@ class WT_API WPen : public WJavaScriptExposableObject
   /*! \brief Typedef for enum Wt::PenJoinStyle */
   typedef PenJoinStyle JoinStyle;
 
-  /*! \brief Creates a StandardColor::Black cosmetic pen.
+  /*! \brief Creates a black cosmetic pen.
    *
-   * Constructs a StandardColor::Black solid pen of 0 width (i.e. cosmetic single
+   * Constructs a black solid pen of 0 width (i.e. cosmetic single
    * pixel width), with \link Wt::PenCapStyle::Square PenCapStyle::Square\endlink line
    * ends and \link Wt::PenJoinStyle::Bevel PenJoinStyle::Bevel\endlink line join style.
    */
   WPen();
 
-  /*! \brief Creates a StandardColor::Black pen with a particular style.
+  /*! \brief Creates a black pen with a particular style.
    *
-   * Constructs a StandardColor::Black pen of 0 width (i.e. cosmetic single pixel
+   * Constructs a black pen of 0 width (i.e. cosmetic single pixel
    * width), with \link Wt::PenCapStyle::Square PenCapStyle::Square\endlink line ends and
    * \link Wt::PenJoinStyle::Bevel PenJoinStyle::Bevel\endlink line join style.
    *
diff --git a/src/Wt/WRandom.C b/src/Wt/WRandom.C
@@ -40,10 +40,10 @@ namespace Wt {
   
 unsigned int WRandom::get()
 {
-  if (!instance.get()) {
+  if (!instance) {
 #ifdef WT_THREADED
     std::unique_lock<std::mutex> l(randomInstanceMutex);
-    if (!instance.get())
+    if (!instance)
       instance.reset(new RandomDevice);
 #else
     instance.reset(new RandomDevice);
diff --git a/test/dbo/DboTest.C b/test/dbo/DboTest.C
diff --git a/wt_config.xml.in b/wt_config.xml.in

Original file line number	Diff line number	Diff line change
`@@ -120,7 +120,7 @@ class WT_API WAbstractGridData : public WAbstractDataSeries3D {`
`120`	`120`	`/*! \brief Sets the WPen that is used for drawing the mesh.`
`121`	`121`	`*`
`122`	`122`	`* Used when drawing the mesh on a surface or the lines around bars. The`
`123`		`- * default is a default constructed WPen (StandardColor::Black and one pixel wide).`
	`123`	`+ * default is a default constructed WPen (black and one pixel wide).`
`124`	`124`	`*`
`125`	`125`	`* Note: only the width and color of this WPen are used.`
`126`	`126`	`*`
Original file line number	Diff line number	Diff line change
`@@ -116,7 +116,7 @@ class observing_ptr`
`116`	`116`	`* Returns if the pointer does not point to \c null and the pointed`
`117`	`117`	`* object isn't deleted.`
`118`	`118`	`*/`
`119`		`- operator bool() const noexcept;`
	`119`	`+ explicit operator bool() const noexcept;`
`120`	`120`
`121`	`121`	`/*! \brief Returns whether the observed object has been deleted.`
`122`	`122`	`*`
Original file line number	Diff line number	Diff line change
`@@ -194,7 +194,7 @@ std::string createQueryCountSql(const std::string& query,`
`194`	`194`	`void substituteFields(const SelectFieldList& list,`
`195`	`195`	`const std::vector<FieldInfo>& fs,`
`196`	`196`	`std::string& sql,`
`197`		`- int offset)`
	`197`	`+ int& offset)`
`198`	`198`	`{`
`199`	`199`	`for (unsigned i = 0, j = 0; j < list.size(); ++j) {`
`200`	`200`	`if (fs[i].isFirstDboField()) {`