FIX: Do not allow revoking the token of current session. (#6472)

* FIX: Do not allow revoking the token of current session.

* DEV: Add getter of current auth_token from Guardian.
This commit is contained in:
Bianca Nenciu 2018-10-12 02:40:48 +03:00 committed by Sam
parent e68ecf1f1d
commit 048cdfbcfa
5 changed files with 28 additions and 16 deletions

View File

@ -1119,7 +1119,10 @@ class UsersController < ApplicationController
user = fetch_user_from_params user = fetch_user_from_params
guardian.ensure_can_edit!(user) guardian.ensure_can_edit!(user)
if !SiteSetting.log_out_strict && params[:token_id] if params[:token_id]
token = UserAuthToken.find_by(id: params[:token_id], user_id: user.id)
# The user should not be able to revoke the auth token of current session.
raise Discourse::NotFound if guardian.auth_token == token.auth_token
UserAuthToken.where(id: params[:token_id], user_id: user.id).each(&:destroy!) UserAuthToken.where(id: params[:token_id], user_id: user.id).each(&:destroy!)
else else
UserAuthToken.where(user_id: user.id).each(&:destroy!) UserAuthToken.where(user_id: user.id).each(&:destroy!)

View File

@ -9,9 +9,7 @@ class UserAuthTokenSerializer < ApplicationSerializer
end end
def is_active def is_active
cookie = scope.request.cookies[Auth::DefaultCurrentUserProvider::TOKEN_COOKIE] scope.auth_token == object.auth_token
UserAuthToken.hash_token(cookie) == object.auth_token
end end
def seen_at def seen_at

View File

@ -381,6 +381,13 @@ class Guardian
(components - Theme.components_for(parent)).empty? (components - Theme.components_for(parent)).empty?
end end
def auth_token
return nil if !request&.cookies[Auth::DefaultCurrentUserProvider::TOKEN_COOKIE]
cookie = request.cookies[Auth::DefaultCurrentUserProvider::TOKEN_COOKIE]
UserAuthToken.hash_token(cookie)
end
private private
def is_my_own?(obj) def is_my_own?(obj)

View File

@ -2963,4 +2963,14 @@ describe Guardian do
end end
end end
end end
describe '#auth_token' do
it 'returns the correct auth token' do
token = UserAuthToken.generate!(user_id: user.id)
env = Rack::MockRequest.env_for("/", "HTTP_COOKIE" => "_t=#{token.unhashed_auth_token};")
guardian = Guardian.new(user, Rack::Request.new(env))
expect(guardian.auth_token).to eq(token.auth_token)
end
end
end end

View File

@ -3270,9 +3270,6 @@ describe UsersController do
end end
it 'logs user out' do it 'logs user out' do
SiteSetting.log_out_strict = false
expect(user.user_auth_tokens.count).to eq(2)
ids = user.user_auth_tokens.map { |token| token.id } ids = user.user_auth_tokens.map { |token| token.id }
post "/u/#{user.username}/preferences/revoke-auth-token.json", params: { token_id: ids[0] } post "/u/#{user.username}/preferences/revoke-auth-token.json", params: { token_id: ids[0] }
@ -3283,20 +3280,17 @@ describe UsersController do
expect(user.user_auth_tokens.first.id).to eq(ids[1]) expect(user.user_auth_tokens.first.id).to eq(ids[1])
end end
it 'logs user out from everywhere if log_out_strict is enabled' do it 'does not let user log out of current session' do
SiteSetting.log_out_strict = true token = UserAuthToken.generate!(user_id: user.id)
expect(user.user_auth_tokens.count).to eq(2) env = Rack::MockRequest.env_for("/", "HTTP_COOKIE" => "_t=#{token.unhashed_auth_token};")
Guardian.any_instance.stubs(:request).returns(Rack::Request.new(env))
ids = user.user_auth_tokens.map { |token| token.id } post "/u/#{user.username}/preferences/revoke-auth-token.json", params: { token_id: token.id }
post "/u/#{user.username}/preferences/revoke-auth-token.json", params: { token_id: ids[0] }
expect(response.status).to eq(200) expect(response.status).to eq(404)
expect(user.user_auth_tokens.count).to eq(0)
end end
it 'logs user out from everywhere if token_id is not present' do it 'logs user out from everywhere if token_id is not present' do
expect(user.user_auth_tokens.count).to eq(2)
post "/u/#{user.username}/preferences/revoke-auth-token.json" post "/u/#{user.username}/preferences/revoke-auth-token.json"
expect(response.status).to eq(200) expect(response.status).to eq(200)