Unfloyded/Legamunt
0
0
Fork 0
Code Activity

Revoke all authorized applications on password reset (#21325)

Browse source 
* Clear sessions on password change

* Rename User::clear_sessions to revoke_access for a clearer meaning

* Add reset paassword controller test

* Use User.find instead of User.find_for_authentication for reset password test

* Use redirect and render for better test meaning in reset password

Co-authored-by: Effy Elden <effy@effy.space>
This commit is contained in:
Francis Murillo 2022-12-15 14:47:06 +00:00 committed by GitHub
parent fe9eab51d1
commit 5fb1c3e934
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 73 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

16
app/models/user.rb
View file

@ -377,6 +377,15 @@ class User < ApplicationRecord
super
end
def revoke_access!
Doorkeeper::AccessGrant.by_resource_owner(self).update_all(revoked_at: Time.now.utc)
Doorkeeper::AccessToken.by_resource_owner(self).in_batches do |batch|
batch.update_all(revoked_at: Time.now.utc)
Web::PushSubscription.where(access_token_id: batch).delete_all
end
end
def reset_password!
# First, change password to something random and deactivate all sessions
transaction do
@ -385,12 +394,7 @@ class User < ApplicationRecord
end
# Then, remove all authorized applications and connected push subscriptions
Doorkeeper::AccessGrant.by_resource_owner(self).in_batches.update_all(revoked_at: Time.now.utc)
Doorkeeper::AccessToken.by_resource_owner(self).in_batches do |batch|
batch.update_all(revoked_at: Time.now.utc)
Web::PushSubscription.where(access_token_id: batch).delete_all
end
revoke_access!
# Finally, send a reset password prompt to the user
send_reset_password_instructions