SECURITY: expire all existing sessions if user changes passwords
This commit is contained in:
parent
2da229cdaa
commit
4171eb758c
|
@ -320,7 +320,10 @@ class User < ActiveRecord::Base
|
|||
|
||||
def password=(password)
|
||||
# special case for passwordless accounts
|
||||
@raw_password = password unless password.blank?
|
||||
unless password.blank?
|
||||
@raw_password = password
|
||||
self.auth_token = nil
|
||||
end
|
||||
end
|
||||
|
||||
def password
|
||||
|
|
|
@ -509,18 +509,24 @@ describe User do
|
|||
end
|
||||
|
||||
describe 'passwords' do
|
||||
before do
|
||||
|
||||
it "should not have an active account with a good password" do
|
||||
@user = Fabricate.build(:user, active: false)
|
||||
@user.password = "ilovepasta"
|
||||
@user.save!
|
||||
end
|
||||
|
||||
it "should have a valid password after the initial save" do
|
||||
expect(@user.confirm_password?("ilovepasta")).to eq(true)
|
||||
end
|
||||
@user.auth_token = SecureRandom.hex(16)
|
||||
@user.save!
|
||||
|
||||
it "should not have an active account after initial save" do
|
||||
expect(@user.active).to eq(false)
|
||||
expect(@user.confirm_password?("ilovepasta")).to eq(true)
|
||||
|
||||
old_token = @user.auth_token
|
||||
@user.password = "passwordT"
|
||||
@user.save!
|
||||
|
||||
# must expire old token on password change
|
||||
expect(@user.auth_token).to_not eq(old_token)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue