Unfloyded/Legamunt
0
0
Fork 0
Code Activity

Fix 2FA/sign-in token sessions being valid after password change (#14802)

Browse source 
If someone tries logging in to an account and is prompted for a 2FA
code or sign-in token, even if the account's password or e-mail is
updated in the meantime, the session will show the prompt and allow
the login process to complete with a valid 2FA code or sign-in token
This commit is contained in:
Eugen Rochko 2020-11-12 23:05:01 +01:00 committed by GitHub
parent 9870b175b4
commit 8532429af7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
7 changed files with 78 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

7
app/controllers/concerns/user_tracking_concern.rb
View file

@ -6,14 +6,13 @@ module UserTrackingConcern
UPDATE_SIGN_IN_HOURS = 24
included do
before_action :set_user_activity
before_action :update_user_sign_in
end
private
def set_user_activity
return unless user_needs_sign_in_update?
current_user.update_tracked_fields!(request)
def update_user_sign_in
current_user.update_sign_in!(request) if user_needs_sign_in_update?
end
def user_needs_sign_in_update?