SECURITY: log off all existing sessions when resetting password

This commit is contained in:
Sam 2015-04-15 08:57:43 +10:00
parent 6a0cce8571
commit 2a3f71a9a1
2 changed files with 8 additions and 1 deletions

View File

@ -321,6 +321,7 @@ class UsersController < ApplicationController
else else
@user.password = params[:password] @user.password = params[:password]
@user.password_required! @user.password_required!
@user.auth_token = nil
if @user.save if @user.save
Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore
logon_after_password_reset logon_after_password_reset

View File

@ -266,13 +266,19 @@ describe UsersController do
context 'valid token' do context 'valid token' do
it 'returns success' do it 'returns success' do
user = Fabricate(:user) user = Fabricate(:user, auth_token: SecureRandom.hex(16))
token = user.email_tokens.create(email: user.email).token token = user.email_tokens.create(email: user.email).token
old_token = user.auth_token
get :password_reset, token: token get :password_reset, token: token
put :password_reset, token: token, password: 'newpassword' put :password_reset, token: token, password: 'newpassword'
expect(response).to be_success expect(response).to be_success
expect(assigns[:error]).to be_blank expect(assigns[:error]).to be_blank
user.reload
expect(user.auth_token).to_not eq old_token
expect(user.auth_token.length).to eq 32
end end
end end