SECURITY: log off all existing sessions when resetting password
This commit is contained in:
parent
6a0cce8571
commit
2a3f71a9a1
|
@ -321,6 +321,7 @@ class UsersController < ApplicationController
|
||||||
else
|
else
|
||||||
@user.password = params[:password]
|
@user.password = params[:password]
|
||||||
@user.password_required!
|
@user.password_required!
|
||||||
|
@user.auth_token = nil
|
||||||
if @user.save
|
if @user.save
|
||||||
Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore
|
Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore
|
||||||
logon_after_password_reset
|
logon_after_password_reset
|
||||||
|
|
|
@ -266,13 +266,19 @@ describe UsersController do
|
||||||
|
|
||||||
context 'valid token' do
|
context 'valid token' do
|
||||||
it 'returns success' do
|
it 'returns success' do
|
||||||
user = Fabricate(:user)
|
user = Fabricate(:user, auth_token: SecureRandom.hex(16))
|
||||||
token = user.email_tokens.create(email: user.email).token
|
token = user.email_tokens.create(email: user.email).token
|
||||||
|
|
||||||
|
old_token = user.auth_token
|
||||||
|
|
||||||
get :password_reset, token: token
|
get :password_reset, token: token
|
||||||
put :password_reset, token: token, password: 'newpassword'
|
put :password_reset, token: token, password: 'newpassword'
|
||||||
expect(response).to be_success
|
expect(response).to be_success
|
||||||
expect(assigns[:error]).to be_blank
|
expect(assigns[:error]).to be_blank
|
||||||
|
|
||||||
|
user.reload
|
||||||
|
expect(user.auth_token).to_not eq old_token
|
||||||
|
expect(user.auth_token.length).to eq 32
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue