Fix other sessions not being logged out on password change (#14252)
While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method
This commit is contained in:
		| @@ -8,7 +8,10 @@ class Auth::PasswordsController < Devise::PasswordsController | |||||||
|  |  | ||||||
|   def update |   def update | ||||||
|     super do |resource| |     super do |resource| | ||||||
|       resource.session_activations.destroy_all if resource.errors.empty? |       if resource.errors.empty? | ||||||
|  |         resource.session_activations.destroy_all | ||||||
|  |         resource.forget_me! | ||||||
|  |       end | ||||||
|     end |     end | ||||||
|   end |   end | ||||||
|  |  | ||||||
|   | |||||||
| @@ -1,6 +1,8 @@ | |||||||
| # frozen_string_literal: true | # frozen_string_literal: true | ||||||
|  |  | ||||||
| class Auth::RegistrationsController < Devise::RegistrationsController | class Auth::RegistrationsController < Devise::RegistrationsController | ||||||
|  |   include Devise::Controllers::Rememberable | ||||||
|  |  | ||||||
|   layout :determine_layout |   layout :determine_layout | ||||||
|  |  | ||||||
|   before_action :set_invite, only: [:new, :create] |   before_action :set_invite, only: [:new, :create] | ||||||
| @@ -24,7 +26,11 @@ class Auth::RegistrationsController < Devise::RegistrationsController | |||||||
|  |  | ||||||
|   def update |   def update | ||||||
|     super do |resource| |     super do |resource| | ||||||
|       resource.clear_other_sessions(current_session.session_id) if resource.saved_change_to_encrypted_password? |       if resource.saved_change_to_encrypted_password? | ||||||
|  |         resource.clear_other_sessions(current_session.session_id) | ||||||
|  |         resource.forget_me! | ||||||
|  |         remember_me(resource) | ||||||
|  |       end | ||||||
|     end |     end | ||||||
|   end |   end | ||||||
|  |  | ||||||
|   | |||||||
| @@ -1,6 +1,7 @@ | |||||||
| # frozen_string_literal: true | # frozen_string_literal: true | ||||||
|  |  | ||||||
| class HomeController < ApplicationController | class HomeController < ApplicationController | ||||||
|  |   before_action :redirect_unauthenticated_to_permalinks! | ||||||
|   before_action :authenticate_user! |   before_action :authenticate_user! | ||||||
|   before_action :set_referrer_policy_header |   before_action :set_referrer_policy_header | ||||||
|  |  | ||||||
| @@ -10,7 +11,7 @@ class HomeController < ApplicationController | |||||||
|  |  | ||||||
|   private |   private | ||||||
|  |  | ||||||
|   def authenticate_user! |   def redirect_unauthenticated_to_permalinks! | ||||||
|     return if user_signed_in? |     return if user_signed_in? | ||||||
|  |  | ||||||
|     matches = request.path.match(/\A\/web\/(statuses|accounts)\/([\d]+)\z/) |     matches = request.path.match(/\A\/web\/(statuses|accounts)\/([\d]+)\z/) | ||||||
| @@ -35,6 +36,7 @@ class HomeController < ApplicationController | |||||||
|     end |     end | ||||||
|  |  | ||||||
|     matches = request.path.match(%r{\A/web/timelines/tag/(?<tag>.+)\z}) |     matches = request.path.match(%r{\A/web/timelines/tag/(?<tag>.+)\z}) | ||||||
|  |  | ||||||
|     redirect_to(matches ? tag_path(CGI.unescape(matches[:tag])) : default_redirect_path) |     redirect_to(matches ? tag_path(CGI.unescape(matches[:tag])) : default_redirect_path) | ||||||
|   end |   end | ||||||
|  |  | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user