SECURITY: expire all existing sessions if user changes passwords
This commit is contained in:
parent
2da229cdaa
commit
4171eb758c
|
@ -320,7 +320,10 @@ class User < ActiveRecord::Base
|
||||||
|
|
||||||
def password=(password)
|
def password=(password)
|
||||||
# special case for passwordless accounts
|
# special case for passwordless accounts
|
||||||
@raw_password = password unless password.blank?
|
unless password.blank?
|
||||||
|
@raw_password = password
|
||||||
|
self.auth_token = nil
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def password
|
def password
|
||||||
|
|
|
@ -509,18 +509,24 @@ describe User do
|
||||||
end
|
end
|
||||||
|
|
||||||
describe 'passwords' do
|
describe 'passwords' do
|
||||||
before do
|
|
||||||
|
it "should not have an active account with a good password" do
|
||||||
@user = Fabricate.build(:user, active: false)
|
@user = Fabricate.build(:user, active: false)
|
||||||
@user.password = "ilovepasta"
|
@user.password = "ilovepasta"
|
||||||
@user.save!
|
@user.save!
|
||||||
end
|
|
||||||
|
|
||||||
it "should have a valid password after the initial save" do
|
@user.auth_token = SecureRandom.hex(16)
|
||||||
expect(@user.confirm_password?("ilovepasta")).to eq(true)
|
@user.save!
|
||||||
end
|
|
||||||
|
|
||||||
it "should not have an active account after initial save" do
|
|
||||||
expect(@user.active).to eq(false)
|
expect(@user.active).to eq(false)
|
||||||
|
expect(@user.confirm_password?("ilovepasta")).to eq(true)
|
||||||
|
|
||||||
|
old_token = @user.auth_token
|
||||||
|
@user.password = "passwordT"
|
||||||
|
@user.save!
|
||||||
|
|
||||||
|
# must expire old token on password change
|
||||||
|
expect(@user.auth_token).to_not eq(old_token)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue