mirror of
https://github.com/discourse/discourse.git
synced 2024-11-25 21:16:28 +08:00
FIX: Do not allow revoking the token of current session. (#6472)
* FIX: Do not allow revoking the token of current session. * DEV: Add getter of current auth_token from Guardian.
This commit is contained in:
parent
e68ecf1f1d
commit
048cdfbcfa
|
@ -1119,7 +1119,10 @@ class UsersController < ApplicationController
|
||||||
user = fetch_user_from_params
|
user = fetch_user_from_params
|
||||||
guardian.ensure_can_edit!(user)
|
guardian.ensure_can_edit!(user)
|
||||||
|
|
||||||
if !SiteSetting.log_out_strict && params[:token_id]
|
if params[:token_id]
|
||||||
|
token = UserAuthToken.find_by(id: params[:token_id], user_id: user.id)
|
||||||
|
# The user should not be able to revoke the auth token of current session.
|
||||||
|
raise Discourse::NotFound if guardian.auth_token == token.auth_token
|
||||||
UserAuthToken.where(id: params[:token_id], user_id: user.id).each(&:destroy!)
|
UserAuthToken.where(id: params[:token_id], user_id: user.id).each(&:destroy!)
|
||||||
else
|
else
|
||||||
UserAuthToken.where(user_id: user.id).each(&:destroy!)
|
UserAuthToken.where(user_id: user.id).each(&:destroy!)
|
||||||
|
|
|
@ -9,9 +9,7 @@ class UserAuthTokenSerializer < ApplicationSerializer
|
||||||
end
|
end
|
||||||
|
|
||||||
def is_active
|
def is_active
|
||||||
cookie = scope.request.cookies[Auth::DefaultCurrentUserProvider::TOKEN_COOKIE]
|
scope.auth_token == object.auth_token
|
||||||
|
|
||||||
UserAuthToken.hash_token(cookie) == object.auth_token
|
|
||||||
end
|
end
|
||||||
|
|
||||||
def seen_at
|
def seen_at
|
||||||
|
|
|
@ -381,6 +381,13 @@ class Guardian
|
||||||
(components - Theme.components_for(parent)).empty?
|
(components - Theme.components_for(parent)).empty?
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def auth_token
|
||||||
|
return nil if !request&.cookies[Auth::DefaultCurrentUserProvider::TOKEN_COOKIE]
|
||||||
|
|
||||||
|
cookie = request.cookies[Auth::DefaultCurrentUserProvider::TOKEN_COOKIE]
|
||||||
|
UserAuthToken.hash_token(cookie)
|
||||||
|
end
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
def is_my_own?(obj)
|
def is_my_own?(obj)
|
||||||
|
|
|
@ -2963,4 +2963,14 @@ describe Guardian do
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
describe '#auth_token' do
|
||||||
|
it 'returns the correct auth token' do
|
||||||
|
token = UserAuthToken.generate!(user_id: user.id)
|
||||||
|
env = Rack::MockRequest.env_for("/", "HTTP_COOKIE" => "_t=#{token.unhashed_auth_token};")
|
||||||
|
|
||||||
|
guardian = Guardian.new(user, Rack::Request.new(env))
|
||||||
|
expect(guardian.auth_token).to eq(token.auth_token)
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -3270,9 +3270,6 @@ describe UsersController do
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'logs user out' do
|
it 'logs user out' do
|
||||||
SiteSetting.log_out_strict = false
|
|
||||||
expect(user.user_auth_tokens.count).to eq(2)
|
|
||||||
|
|
||||||
ids = user.user_auth_tokens.map { |token| token.id }
|
ids = user.user_auth_tokens.map { |token| token.id }
|
||||||
post "/u/#{user.username}/preferences/revoke-auth-token.json", params: { token_id: ids[0] }
|
post "/u/#{user.username}/preferences/revoke-auth-token.json", params: { token_id: ids[0] }
|
||||||
|
|
||||||
|
@ -3283,20 +3280,17 @@ describe UsersController do
|
||||||
expect(user.user_auth_tokens.first.id).to eq(ids[1])
|
expect(user.user_auth_tokens.first.id).to eq(ids[1])
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'logs user out from everywhere if log_out_strict is enabled' do
|
it 'does not let user log out of current session' do
|
||||||
SiteSetting.log_out_strict = true
|
token = UserAuthToken.generate!(user_id: user.id)
|
||||||
expect(user.user_auth_tokens.count).to eq(2)
|
env = Rack::MockRequest.env_for("/", "HTTP_COOKIE" => "_t=#{token.unhashed_auth_token};")
|
||||||
|
Guardian.any_instance.stubs(:request).returns(Rack::Request.new(env))
|
||||||
|
|
||||||
ids = user.user_auth_tokens.map { |token| token.id }
|
post "/u/#{user.username}/preferences/revoke-auth-token.json", params: { token_id: token.id }
|
||||||
post "/u/#{user.username}/preferences/revoke-auth-token.json", params: { token_id: ids[0] }
|
|
||||||
|
|
||||||
expect(response.status).to eq(200)
|
expect(response.status).to eq(404)
|
||||||
expect(user.user_auth_tokens.count).to eq(0)
|
|
||||||
end
|
end
|
||||||
|
|
||||||
it 'logs user out from everywhere if token_id is not present' do
|
it 'logs user out from everywhere if token_id is not present' do
|
||||||
expect(user.user_auth_tokens.count).to eq(2)
|
|
||||||
|
|
||||||
post "/u/#{user.username}/preferences/revoke-auth-token.json"
|
post "/u/#{user.username}/preferences/revoke-auth-token.json"
|
||||||
|
|
||||||
expect(response.status).to eq(200)
|
expect(response.status).to eq(200)
|
||||||
|
|
Loading…
Reference in New Issue
Block a user