SECURITY: log off all existing sessions when resetting password

2025-01-19 05:52:49 +08:00 · 2015-04-15 08:57:43 +10:00 · 2015-04-15 08:57:43 +10:00 · 34c3b2966c
commit 34c3b2966c
parent 9cb6ba0f8f
2 changed files with 8 additions and 1 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -311,6 +311,7 @@ class UsersController < ApplicationController
      else
        @user.password = params[:password]
        @user.password_required!
+        @user.auth_token = nil
        if @user.save
          Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore
          logon_after_password_reset
--- a/spec/controllers/users_controller_spec.rb
+++ b/spec/controllers/users_controller_spec.rb
@ -271,13 +271,19 @@ describe UsersController do

    context 'valid token' do
      it 'returns success' do
-        user = Fabricate(:user)
+        user = Fabricate(:user, auth_token: SecureRandom.hex(16))
        token = user.email_tokens.create(email: user.email).token

+        old_token = user.auth_token
+
        get :password_reset, token: token
        put :password_reset, token: token, password: 'newpassword'
        expect(response).to be_success
        expect(flash[:error]).to be_blank
+
+        user.reload
+        expect(user.auth_token).to_not eq old_token
+        expect(user.auth_token.length).to eq 32
      end
    end