SECURITY: expire all existing sessions if user changes passwords

This commit is contained in:
Sam Saffron 2015-06-06 03:09:02 +10:00
parent 2da229cdaa
commit 4171eb758c
2 changed files with 16 additions and 7 deletions

View File

@ -320,7 +320,10 @@ class User < ActiveRecord::Base
def password=(password) def password=(password)
# special case for passwordless accounts # special case for passwordless accounts
@raw_password = password unless password.blank? unless password.blank?
@raw_password = password
self.auth_token = nil
end
end end
def password def password

View File

@ -509,18 +509,24 @@ describe User do
end end
describe 'passwords' do describe 'passwords' do
before do
it "should not have an active account with a good password" do
@user = Fabricate.build(:user, active: false) @user = Fabricate.build(:user, active: false)
@user.password = "ilovepasta" @user.password = "ilovepasta"
@user.save! @user.save!
end
it "should have a valid password after the initial save" do @user.auth_token = SecureRandom.hex(16)
expect(@user.confirm_password?("ilovepasta")).to eq(true) @user.save!
end
it "should not have an active account after initial save" do
expect(@user.active).to eq(false) expect(@user.active).to eq(false)
expect(@user.confirm_password?("ilovepasta")).to eq(true)
old_token = @user.auth_token
@user.password = "passwordT"
@user.save!
# must expire old token on password change
expect(@user.auth_token).to_not eq(old_token)
end end
end end