Fix 2FA/sign-in token sessions being valid after password change (#14802)

If someone tries logging in to an account and is prompted for a 2FA code or sign-in token, even if the account's password or e-mail is updated in the meantime, the session will show the prompt and allow the login process to complete with a valid 2FA code or sign-in token
2020-11-12 23:05:01 +01:00 · 2020-11-12 23:05:01 +01:00 · 8532429af7
commit 8532429af7
parent 9870b175b4
7 changed files with 78 additions and 40 deletions
--- a/app/controllers/auth/sessions_controller.rb
+++ b/app/controllers/auth/sessions_controller.rb
@ -7,6 +7,7 @@ class Auth::SessionsController < Devise::SessionsController

  skip_before_action :require_no_authentication, only: [:create]
  skip_before_action :require_functional!
+  skip_before_action :update_user_sign_in

  include TwoFactorAuthenticationConcern
  include SignInTokenAuthenticationConcern
@ -24,6 +25,7 @@ class Auth::SessionsController < Devise::SessionsController

  def create
    super do |resource|
+      resource.update_sign_in!(request, new_sign_in: true)
      remember_me(resource)
      flash.delete(:notice)
    end
@ -57,7 +59,7 @@ class Auth::SessionsController < Devise::SessionsController

  def find_user
    if session[:attempt_user_id]
-      User.find(session[:attempt_user_id])
+      User.find_by(id: session[:attempt_user_id])
    else
      user   = User.authenticate_with_ldap(user_params) if Devise.ldap_authentication
      user ||= User.authenticate_with_pam(user_params) if Devise.pam_authentication
@ -90,6 +92,7 @@ class Auth::SessionsController < Devise::SessionsController

  def require_no_authentication
    super
+
    # Delete flash message that isn't entirely useful and may be confusing in
    # most cases because /web doesn't display/clear flash messages.
    flash.delete(:alert) if flash[:alert] == I18n.t('devise.failure.already_authenticated')
@ -107,13 +110,30 @@ class Auth::SessionsController < Devise::SessionsController

  def home_paths(resource)
    paths = [about_path]
+
    if single_user_mode? && resource.is_a?(User)
      paths << short_account_path(username: resource.account)
    end
+
    paths
  end

  def continue_after?
    truthy_param?(:continue)
  end
+
+  def restart_session
+    clear_attempt_from_session
+    redirect_to new_user_session_path, alert: I18n.t('devise.failure.timeout')
+  end
+
+  def set_attempt_session(user)
+    session[:attempt_user_id]         = user.id
+    session[:attempt_user_updated_at] = user.updated_at.to_s
+  end
+
+  def clear_attempt_from_session
+    session.delete(:attempt_user_id)
+    session.delete(:attempt_user_updated_at)
+  end
 end