Ensure password resets revoke access to Streaming API

glitch-soc/security/59893a4eabb7edc836a6fe87e0fcad62e56d66ed
Emelia Smith 2024-01-17 20:38:21 +01:00 committed by Claire
parent a4f2b4a080
commit 56e11650e5
2 changed files with 12 additions and 0 deletions

View File

@ -360,6 +360,13 @@ class User < ApplicationRecord
Doorkeeper::AccessToken.by_resource_owner(self).in_batches do |batch| Doorkeeper::AccessToken.by_resource_owner(self).in_batches do |batch|
batch.update_all(revoked_at: Time.now.utc) batch.update_all(revoked_at: Time.now.utc)
Web::PushSubscription.where(access_token_id: batch).delete_all Web::PushSubscription.where(access_token_id: batch).delete_all
# Revoke each access token for the Streaming API, since `update_all``
# doesn't trigger ActiveRecord Callbacks:
# TODO: #28793 Combine into a single topic
batch.each do |token|
redis.publish("timeline:access_token:#{token.id}", Oj.dump(event: :kill))
end
end end
end end

View File

@ -433,6 +433,7 @@ RSpec.describe User do
let!(:web_push_subscription) { Fabricate(:web_push_subscription, access_token: access_token) } let!(:web_push_subscription) { Fabricate(:web_push_subscription, access_token: access_token) }
before do before do
allow(redis).to receive_messages(publish: nil)
user.reset_password! user.reset_password!
end end
@ -448,6 +449,10 @@ RSpec.describe User do
expect(Doorkeeper::AccessToken.active_for(user).count).to eq 0 expect(Doorkeeper::AccessToken.active_for(user).count).to eq 0
end end
it 'revokes streaming access for all access tokens' do
expect(redis).to have_received(:publish).with("timeline:access_token:#{access_token.id}", Oj.dump(event: :kill)).once
end
it 'removes push subscriptions' do it 'removes push subscriptions' do
expect(Web::PushSubscription.where(user: user).or(Web::PushSubscription.where(access_token: access_token)).count).to eq 0 expect(Web::PushSubscription.where(user: user).or(Web::PushSubscription.where(access_token: access_token)).count).to eq 0
end end