FIX: Allow user to log in another account using the same device (client_id) (#29121)

Allow user to log in another account using the same device (client_id)
2024-11-22 13:39:42 +08:00 · 2024-10-14 12:39:20 +08:00 · 2024-10-14 12:39:20 +08:00 · ede06ffd43
commit ede06ffd43
parent d3f09f8f61
2 changed files with 21 additions and 2 deletions
--- a/app/controllers/user_api_keys_controller.rb
+++ b/app/controllers/user_api_keys_controller.rb
@ -61,8 +61,7 @@ class UserApiKeysController < ApplicationController
    @application_name = params[:application_name]
    scopes = params[:scopes].split(",")

-    # destroy any old keys we had
-    UserApiKey.where(user_id: current_user.id, client_id: params[:client_id]).destroy_all
+    UserApiKey.where(client_id: params[:client_id]).destroy_all

    key =
      UserApiKey.create!(
--- a/spec/requests/user_api_keys_controller_spec.rb
+++ b/spec/requests/user_api_keys_controller_spec.rb
@ -294,6 +294,26 @@ RSpec.describe UserApiKeysController do
      uri = URI.parse(response.redirect_url)
      expect(uri.to_s).to include(query_str)
    end
+
+    it "revokes API key when client_id used by another user" do
+      user1 = Fabricate(:trust_level_0)
+      user2 = Fabricate(:trust_level_0)
+      key = Fabricate(:user_api_key, user: user1)
+
+      SiteSetting.user_api_key_allowed_groups = Group::AUTO_GROUPS[:trust_level_0]
+      SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect]
+      SiteSetting.allowed_user_api_push_urls = "https://push.it/here"
+      args[:client_id] = key.client_id
+      args[:scopes] = "push,notifications,message_bus,session_info,one_time_password"
+      args[:push_url] = "https://push.it/here"
+
+      sign_in(user2)
+
+      post "/user-api-key.json", params: args
+
+      expect(response.status).to eq(302)
+      expect(UserApiKey.exists?(key.id)).to eq(false)
+    end
  end

  describe "#create-one-time-password" do