From 4171eb758c29e0adc5c5af6e968c73f88d34ce0e Mon Sep 17 00:00:00 2001 From: Sam Saffron Date: Sat, 6 Jun 2015 03:09:02 +1000 Subject: [PATCH] SECURITY: expire all existing sessions if user changes passwords --- app/models/user.rb | 5 ++++- spec/models/user_spec.rb | 18 ++++++++++++------ 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/app/models/user.rb b/app/models/user.rb index 0b528cbefeb..a55a3e754c1 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -320,7 +320,10 @@ class User < ActiveRecord::Base def password=(password) # special case for passwordless accounts - @raw_password = password unless password.blank? + unless password.blank? + @raw_password = password + self.auth_token = nil + end end def password diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 9e676b14945..a204083e085 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -509,18 +509,24 @@ describe User do end describe 'passwords' do - before do + + it "should not have an active account with a good password" do @user = Fabricate.build(:user, active: false) @user.password = "ilovepasta" @user.save! - end - it "should have a valid password after the initial save" do - expect(@user.confirm_password?("ilovepasta")).to eq(true) - end + @user.auth_token = SecureRandom.hex(16) + @user.save! - it "should not have an active account after initial save" do expect(@user.active).to eq(false) + expect(@user.confirm_password?("ilovepasta")).to eq(true) + + old_token = @user.auth_token + @user.password = "passwordT" + @user.save! + + # must expire old token on password change + expect(@user.auth_token).to_not eq(old_token) end end