Fix other sessions not being logged out on password change (#14252)

While OAuth tokens were immediately revoked, accessing the home
controller immediately generated new OAuth tokens and "revived"
the session due to a combination of using remember_me tokens and
overwriting the `authenticate_user!` method
master
Eugen Rochko 5 years ago committed by GitHub
parent 1c903c7ad6
commit 844870273f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 5
      app/controllers/auth/passwords_controller.rb
  2. 8
      app/controllers/auth/registrations_controller.rb
  3. 4
      app/controllers/home_controller.rb

@ -8,7 +8,10 @@ class Auth::PasswordsController < Devise::PasswordsController
def update def update
super do |resource| super do |resource|
resource.session_activations.destroy_all if resource.errors.empty? if resource.errors.empty?
resource.session_activations.destroy_all
resource.forget_me!
end
end end
end end

@ -1,6 +1,8 @@
# frozen_string_literal: true # frozen_string_literal: true
class Auth::RegistrationsController < Devise::RegistrationsController class Auth::RegistrationsController < Devise::RegistrationsController
include Devise::Controllers::Rememberable
layout :determine_layout layout :determine_layout
before_action :set_invite, only: [:new, :create] before_action :set_invite, only: [:new, :create]
@ -24,7 +26,11 @@ class Auth::RegistrationsController < Devise::RegistrationsController
def update def update
super do |resource| super do |resource|
resource.clear_other_sessions(current_session.session_id) if resource.saved_change_to_encrypted_password? if resource.saved_change_to_encrypted_password?
resource.clear_other_sessions(current_session.session_id)
resource.forget_me!
remember_me(resource)
end
end end
end end

@ -1,6 +1,7 @@
# frozen_string_literal: true # frozen_string_literal: true
class HomeController < ApplicationController class HomeController < ApplicationController
before_action :redirect_unauthenticated_to_permalinks!
before_action :authenticate_user! before_action :authenticate_user!
before_action :set_referrer_policy_header before_action :set_referrer_policy_header
@ -10,7 +11,7 @@ class HomeController < ApplicationController
private private
def authenticate_user! def redirect_unauthenticated_to_permalinks!
return if user_signed_in? return if user_signed_in?
matches = request.path.match(/\A\/web\/(statuses|accounts)\/([\d]+)\z/) matches = request.path.match(/\A\/web\/(statuses|accounts)\/([\d]+)\z/)
@ -35,6 +36,7 @@ class HomeController < ApplicationController
end end
matches = request.path.match(%r{\A/web/timelines/tag/(?<tag>.+)\z}) matches = request.path.match(%r{\A/web/timelines/tag/(?<tag>.+)\z})
redirect_to(matches ? tag_path(CGI.unescape(matches[:tag])) : default_redirect_path) redirect_to(matches ? tag_path(CGI.unescape(matches[:tag])) : default_redirect_path)
end end

Loading…
Cancel
Save