Fix other sessions not being logged out on password change (#14252)
While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method
This commit is contained in:
parent
1c903c7ad6
commit
844870273f
@ -8,7 +8,10 @@ class Auth::PasswordsController < Devise::PasswordsController
|
|||||||
|
|
||||||
def update
|
def update
|
||||||
super do |resource|
|
super do |resource|
|
||||||
resource.session_activations.destroy_all if resource.errors.empty?
|
if resource.errors.empty?
|
||||||
|
resource.session_activations.destroy_all
|
||||||
|
resource.forget_me!
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -1,6 +1,8 @@
|
|||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
class Auth::RegistrationsController < Devise::RegistrationsController
|
class Auth::RegistrationsController < Devise::RegistrationsController
|
||||||
|
include Devise::Controllers::Rememberable
|
||||||
|
|
||||||
layout :determine_layout
|
layout :determine_layout
|
||||||
|
|
||||||
before_action :set_invite, only: [:new, :create]
|
before_action :set_invite, only: [:new, :create]
|
||||||
@ -24,7 +26,11 @@ class Auth::RegistrationsController < Devise::RegistrationsController
|
|||||||
|
|
||||||
def update
|
def update
|
||||||
super do |resource|
|
super do |resource|
|
||||||
resource.clear_other_sessions(current_session.session_id) if resource.saved_change_to_encrypted_password?
|
if resource.saved_change_to_encrypted_password?
|
||||||
|
resource.clear_other_sessions(current_session.session_id)
|
||||||
|
resource.forget_me!
|
||||||
|
remember_me(resource)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
# frozen_string_literal: true
|
# frozen_string_literal: true
|
||||||
|
|
||||||
class HomeController < ApplicationController
|
class HomeController < ApplicationController
|
||||||
|
before_action :redirect_unauthenticated_to_permalinks!
|
||||||
before_action :authenticate_user!
|
before_action :authenticate_user!
|
||||||
before_action :set_referrer_policy_header
|
before_action :set_referrer_policy_header
|
||||||
|
|
||||||
@ -10,7 +11,7 @@ class HomeController < ApplicationController
|
|||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def authenticate_user!
|
def redirect_unauthenticated_to_permalinks!
|
||||||
return if user_signed_in?
|
return if user_signed_in?
|
||||||
|
|
||||||
matches = request.path.match(/\A\/web\/(statuses|accounts)\/([\d]+)\z/)
|
matches = request.path.match(/\A\/web\/(statuses|accounts)\/([\d]+)\z/)
|
||||||
@ -35,6 +36,7 @@ class HomeController < ApplicationController
|
|||||||
end
|
end
|
||||||
|
|
||||||
matches = request.path.match(%r{\A/web/timelines/tag/(?<tag>.+)\z})
|
matches = request.path.match(%r{\A/web/timelines/tag/(?<tag>.+)\z})
|
||||||
|
|
||||||
redirect_to(matches ? tag_path(CGI.unescape(matches[:tag])) : default_redirect_path)
|
redirect_to(matches ? tag_path(CGI.unescape(matches[:tag])) : default_redirect_path)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user