SECURITY: expire all existing sessions if user changes passwords

2024-12-16 00:13:44 +08:00 · 2015-06-06 03:09:02 +10:00 · 2015-06-06 03:09:02 +10:00 · 3151192626
commit 3151192626
parent ec88c08f24
2 changed files with 16 additions and 7 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -320,7 +320,10 @@ class User < ActiveRecord::Base

  def password=(password)
    # special case for passwordless accounts
-    @raw_password = password unless password.blank?
+    unless password.blank?
+      @raw_password = password
+      self.auth_token = nil
+    end
  end

  def password
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@ -509,18 +509,24 @@ describe User do
  end

  describe 'passwords' do
-    before do
+
+    it "should not have an active account with a good password" do
      @user = Fabricate.build(:user, active: false)
      @user.password = "ilovepasta"
      @user.save!
-    end

-    it "should have a valid password after the initial save" do
-      expect(@user.confirm_password?("ilovepasta")).to eq(true)
-    end
+      @user.auth_token = SecureRandom.hex(16)
+      @user.save!

-    it "should not have an active account after initial save" do
      expect(@user.active).to eq(false)
+      expect(@user.confirm_password?("ilovepasta")).to eq(true)
+
+      old_token = @user.auth_token
+      @user.password = "passwordT"
+      @user.save!
+
+      # must expire old token on password change
+      expect(@user.auth_token).to_not eq(old_token)
    end
  end