Add ability to skip sign-in token authentication for specific users (#16427)

Remove "active within last two weeks" exception for sign in token requirement Change admin reset password to lock access until the password is reset
2021-07-08 05:31:28 +02:00 · 2021-07-08 05:31:28 +02:00 · 771c9d4ba8
commit 771c9d4ba8
parent 2e0eac71dd
14 changed files with 160 additions and 32 deletions
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@ -344,6 +344,34 @@ RSpec.describe User, type: :model do
    end
  end

+  describe '#reset_password!' do
+    subject(:user) { Fabricate(:user, password: 'foobar12345') }
+
+    let!(:session_activation) { Fabricate(:session_activation, user: user) }
+    let!(:access_token) { Fabricate(:access_token, resource_owner_id: user.id) }
+    let!(:web_push_subscription) { Fabricate(:web_push_subscription, access_token: access_token) }
+
+    before do
+      user.reset_password!
+    end
+
+    it 'changes the password immediately' do
+      expect(user.external_or_valid_password?('foobar12345')).to be false
+    end
+
+    it 'deactivates all sessions' do
+      expect(user.session_activations.count).to eq 0
+    end
+
+    it 'revokes all access tokens' do
+      expect(Doorkeeper::AccessToken.active_for(user).count).to eq 0
+    end
+
+    it 'removes push subscriptions' do
+      expect(Web::PushSubscription.where(user: user).or(Web::PushSubscription.where(access_token: access_token)).count).to eq 0
+    end
+  end
+
  describe '#confirm!' do
    subject(:user) { Fabricate(:user, confirmed_at: confirmed_at) }