SECURITY: expire all existing email tokens on password reset
This commit is contained in:
Sam Saffron
parent
4171eb758c
commit
feeb509a97
|
|
@ -92,6 +92,7 @@ class User < ActiveRecord::Base
|
||||||
after_save :clear_global_notice_if_needed
|
after_save :clear_global_notice_if_needed
|
||||||
after_save :refresh_avatar
|
after_save :refresh_avatar
|
||||||
after_save :badge_grant
|
after_save :badge_grant
|
||||||
|
after_save :expire_old_email_tokens
|
||||||
|
|
||||||
before_destroy do
|
before_destroy do
|
||||||
# These tables don't have primary keys, so destroying them with activerecord is tricky:
|
# These tables don't have primary keys, so destroying them with activerecord is tricky:
|
||||||
|
|
@ -786,6 +787,12 @@ class User < ActiveRecord::Base
|
||||||
BadgeGranter.queue_badge_grant(Badge::Trigger::UserChange, user: self)
|
BadgeGranter.queue_badge_grant(Badge::Trigger::UserChange, user: self)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def expire_old_email_tokens
|
||||||
|
if password_hash_changed? && !id_changed?
|
||||||
|
email_tokens.where('not expired').update_all(expired: true)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
def update_tracked_topics
|
def update_tracked_topics
|
||||||
return unless auto_track_topics_after_msecs_changed?
|
return unless auto_track_topics_after_msecs_changed?
|
||||||
TrackedTopicsUpdater.new(id, auto_track_topics_after_msecs).call
|
TrackedTopicsUpdater.new(id, auto_track_topics_after_msecs).call
|
||||||
|
|
|
||||||
|
|
@ -521,12 +521,18 @@ describe User do
|
||||||
expect(@user.active).to eq(false)
|
expect(@user.active).to eq(false)
|
||||||
expect(@user.confirm_password?("ilovepasta")).to eq(true)
|
expect(@user.confirm_password?("ilovepasta")).to eq(true)
|
||||||
|
|
||||||
|
|
||||||
|
email_token = @user.email_tokens.create(email: 'pasta@delicious.com')
|
||||||
|
|
||||||
old_token = @user.auth_token
|
old_token = @user.auth_token
|
||||||
@user.password = "passwordT"
|
@user.password = "passwordT"
|
||||||
@user.save!
|
@user.save!
|
||||||
|
|
||||||
# must expire old token on password change
|
# must expire old token on password change
|
||||||
expect(@user.auth_token).to_not eq(old_token)
|
expect(@user.auth_token).to_not eq(old_token)
|
||||||
|
|
||||||
|
email_token.reload
|
||||||
|
expect(email_token.expired).to eq(true)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue