Return 400 instead of 404 for bad token

This commit is contained in:
Sam 2018-10-12 10:51:41 +11:00
parent 048cdfbcfa
commit a1c912b630
3 changed files with 5 additions and 6 deletions

View File

@ -1122,7 +1122,7 @@ class UsersController < ApplicationController
if params[:token_id]
token = UserAuthToken.find_by(id: params[:token_id], user_id: user.id)
# The user should not be able to revoke the auth token of current session.
raise Discourse::NotFound if guardian.auth_token == token.auth_token
raise Discourse::InvalidParameters.new(:token_id) if guardian.auth_token == token.auth_token
UserAuthToken.where(id: params[:token_id], user_id: user.id).each(&:destroy!)
else
UserAuthToken.where(user_id: user.id).each(&:destroy!)

View File

@ -382,11 +382,10 @@ class Guardian
end
def auth_token
return nil if !request&.cookies[Auth::DefaultCurrentUserProvider::TOKEN_COOKIE]
cookie = request.cookies[Auth::DefaultCurrentUserProvider::TOKEN_COOKIE]
if cookie = request&.cookies[Auth::DefaultCurrentUserProvider::TOKEN_COOKIE]
UserAuthToken.hash_token(cookie)
end
end
private

View File

@ -3287,7 +3287,7 @@ describe UsersController do
post "/u/#{user.username}/preferences/revoke-auth-token.json", params: { token_id: token.id }
expect(response.status).to eq(404)
expect(response.status).to eq(400)
end
it 'logs user out from everywhere if token_id is not present' do