Home Explore Help
Sign In
RISCI_ATOM
/
mastodon
mirror of https://github.com/tootsuite/mastodon.git
1
0
Fork 0
Files Issues 8 Wiki
Browse Source

Fix other sessions not being logged out on password change (#14252)

While OAuth tokens were immediately revoked, accessing the home
controller immediately generated new OAuth tokens and "revived"
the session due to a combination of using remember_me tokens and
overwriting the `authenticate_user!` method
Eugen Rochko 3 years ago
parent
1c903c7ad6
commit
844870273f
3 changed files with 14 additions and 3 deletions
Split View Show Diff Stats
  1. 4 1
      app/controllers/auth/passwords_controller.rb
  2. 7 1
      app/controllers/auth/registrations_controller.rb
  3. 3 1
      app/controllers/home_controller.rb

+ 4 - 1
app/controllers/auth/passwords_controller.rb
View File 

@@ -8,7 +8,10 @@ class Auth::PasswordsController < Devise::PasswordsController
 
 
   def update
 
     super do |resource|
 
-      resource.session_activations.destroy_all if resource.errors.empty?
 
+      if resource.errors.empty?
 
+        resource.session_activations.destroy_all
 
+        resource.forget_me!
 
+      end
 
     end
 
   end

+ 7 - 1
app/controllers/auth/registrations_controller.rb
View File 

@@ -1,6 +1,8 @@
 
 # frozen_string_literal: true
 
 
 class Auth::RegistrationsController < Devise::RegistrationsController
 
+  include Devise::Controllers::Rememberable
 
+
 
   layout :determine_layout
 
 
   before_action :set_invite, only: [:new, :create]
 
@@ -24,7 +26,11 @@ class Auth::RegistrationsController < Devise::RegistrationsController
 
 
   def update
 
     super do |resource|
 
-      resource.clear_other_sessions(current_session.session_id) if resource.saved_change_to_encrypted_password?
 
+      if resource.saved_change_to_encrypted_password?
 
+        resource.clear_other_sessions(current_session.session_id)
 
+        resource.forget_me!
 
+        remember_me(resource)
 
+      end
 
     end
 
   end

+ 3 - 1
app/controllers/home_controller.rb
View File 

@@ -1,6 +1,7 @@
 
 # frozen_string_literal: true
 
 
 class HomeController < ApplicationController
 
+  before_action :redirect_unauthenticated_to_permalinks!
 
   before_action :authenticate_user!
 
   before_action :set_referrer_policy_header
 
 
@@ -10,7 +11,7 @@ class HomeController < ApplicationController
 
 
   private
 
 
-  def authenticate_user!
 
+  def redirect_unauthenticated_to_permalinks!
 
     return if user_signed_in?
 
 
     matches = request.path.match(/\A\/web\/(statuses|accounts)\/([\d]+)\z/)
 
@@ -35,6 +36,7 @@ class HomeController < ApplicationController
 
     end
 
 
     matches = request.path.match(%r{\A/web/timelines/tag/(?<tag>.+)\z})
 
+
 
     redirect_to(matches ? tag_path(CGI.unescape(matches[:tag])) : default_redirect_path)
 
   end