FIX: Allow user to log in another account using the same device (client_id) (#29121)

Allow user to log in another account using the same device (client_id)
This commit is contained in:
Natalie Tay 2024-10-14 12:39:20 +08:00 committed by GitHub
parent d3f09f8f61
commit ede06ffd43
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 21 additions and 2 deletions

View File

@ -61,8 +61,7 @@ class UserApiKeysController < ApplicationController
@application_name = params[:application_name] @application_name = params[:application_name]
scopes = params[:scopes].split(",") scopes = params[:scopes].split(",")
# destroy any old keys we had UserApiKey.where(client_id: params[:client_id]).destroy_all
UserApiKey.where(user_id: current_user.id, client_id: params[:client_id]).destroy_all
key = key =
UserApiKey.create!( UserApiKey.create!(

View File

@ -294,6 +294,26 @@ RSpec.describe UserApiKeysController do
uri = URI.parse(response.redirect_url) uri = URI.parse(response.redirect_url)
expect(uri.to_s).to include(query_str) expect(uri.to_s).to include(query_str)
end end
it "revokes API key when client_id used by another user" do
user1 = Fabricate(:trust_level_0)
user2 = Fabricate(:trust_level_0)
key = Fabricate(:user_api_key, user: user1)
SiteSetting.user_api_key_allowed_groups = Group::AUTO_GROUPS[:trust_level_0]
SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]
SiteSetting.allowed_user_api_push_urls = "https://push.it/here"
args[:client_id] = key.client_id
args[:scopes] = "push,notifications,message_bus,session_info,one_time_password"
args[:push_url] = "https://push.it/here"
sign_in(user2)
post "/user-api-key.json", params: args
expect(response.status).to eq(302)
expect(UserApiKey.exists?(key.id)).to eq(false)
end
end end
describe "#create-one-time-password" do describe "#create-one-time-password" do