From 224618fd3bbaa640b5d20bb41bc2bbbaf70e2d32 Mon Sep 17 00:00:00 2001 From: Emelia Smith Date: Wed, 17 Jan 2024 20:38:21 +0100 Subject: [PATCH] Ensure password resets revoke access to Streaming API --- app/models/user.rb | 7 +++++++ spec/models/user_spec.rb | 5 +++++ 2 files changed, 12 insertions(+) diff --git a/app/models/user.rb b/app/models/user.rb index 56e575ca42..9a60921f0e 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -359,6 +359,13 @@ class User < ApplicationRecord Doorkeeper::AccessToken.by_resource_owner(self).in_batches do |batch| batch.update_all(revoked_at: Time.now.utc) Web::PushSubscription.where(access_token_id: batch).delete_all + + # Revoke each access token for the Streaming API, since `update_all`` + # doesn't trigger ActiveRecord Callbacks: + # TODO: #28793 Combine into a single topic + batch.each do |token| + redis.publish("timeline:access_token:#{token.id}", Oj.dump(event: :kill)) + end end end diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb index 7f68671df4..12bdd01331 100644 --- a/spec/models/user_spec.rb +++ b/spec/models/user_spec.rb @@ -439,6 +439,7 @@ RSpec.describe User do let!(:web_push_subscription) { Fabricate(:web_push_subscription, access_token: access_token) } before do + allow(redis).to receive_messages(publish: nil) user.reset_password! end @@ -455,6 +456,10 @@ RSpec.describe User do expect(Doorkeeper::AccessToken.active_for(user).count).to eq 0 end + it 'revokes streaming access for all access tokens' do + expect(redis).to have_received(:publish).with("timeline:access_token:#{access_token.id}", Oj.dump(event: :kill)).once + end + it 'removes push subscriptions' do expect(Web::PushSubscription.where(user: user).or(Web::PushSubscription.where(access_token: access_token)).count).to eq 0 expect { web_push_subscription.reload }.to raise_error(ActiveRecord::RecordNotFound)