From 315119262683b09d4e9a73a33e13517bbb748090 Mon Sep 17 00:00:00 2001
From: Sam Saffron <sam.saffron@gmail.com>
Date: Sat, 6 Jun 2015 03:09:02 +1000
Subject: [PATCH] SECURITY: expire all existing sessions if user changes
 passwords

---
 app/models/user.rb       |  5 ++++-
 spec/models/user_spec.rb | 18 ++++++++++++------
 2 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/app/models/user.rb b/app/models/user.rb
index 0b528cbefeb..a55a3e754c1 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -320,7 +320,10 @@ class User < ActiveRecord::Base
 
   def password=(password)
     # special case for passwordless accounts
-    @raw_password = password unless password.blank?
+    unless password.blank?
+      @raw_password = password
+      self.auth_token = nil
+    end
   end
 
   def password
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 9e676b14945..a204083e085 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -509,18 +509,24 @@ describe User do
   end
 
   describe 'passwords' do
-    before do
+
+    it "should not have an active account with a good password" do
       @user = Fabricate.build(:user, active: false)
       @user.password = "ilovepasta"
       @user.save!
-    end
 
-    it "should have a valid password after the initial save" do
-      expect(@user.confirm_password?("ilovepasta")).to eq(true)
-    end
+      @user.auth_token = SecureRandom.hex(16)
+      @user.save!
 
-    it "should not have an active account after initial save" do
       expect(@user.active).to eq(false)
+      expect(@user.confirm_password?("ilovepasta")).to eq(true)
+
+      old_token = @user.auth_token
+      @user.password = "passwordT"
+      @user.save!
+
+      # must expire old token on password change
+      expect(@user.auth_token).to_not eq(old_token)
     end
   end