Ensure password resets revoke access to Streaming API
parent
46d24cdfaa
commit
ef3804a494
|
@ -359,6 +359,13 @@ class User < ApplicationRecord
|
|||
Doorkeeper::AccessToken.by_resource_owner(self).in_batches do |batch|
|
||||
batch.update_all(revoked_at: Time.now.utc)
|
||||
Web::PushSubscription.where(access_token_id: batch).delete_all
|
||||
|
||||
# Revoke each access token for the Streaming API, since `update_all``
|
||||
# doesn't trigger ActiveRecord Callbacks:
|
||||
# TODO: #28793 Combine into a single topic
|
||||
batch.each do |token|
|
||||
redis.publish("timeline:access_token:#{token.id}", Oj.dump(event: :kill))
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -439,6 +439,7 @@ RSpec.describe User do
|
|||
let!(:web_push_subscription) { Fabricate(:web_push_subscription, access_token: access_token) }
|
||||
|
||||
before do
|
||||
allow(redis).to receive_messages(publish: nil)
|
||||
user.reset_password!
|
||||
end
|
||||
|
||||
|
@ -454,6 +455,10 @@ RSpec.describe User do
|
|||
expect(Doorkeeper::AccessToken.active_for(user).count).to eq 0
|
||||
end
|
||||
|
||||
it 'revokes streaming access for all access tokens' do
|
||||
expect(redis).to have_received(:publish).with("timeline:access_token:#{access_token.id}", Oj.dump(event: :kill)).once
|
||||
end
|
||||
|
||||
it 'removes push subscriptions' do
|
||||
expect(Web::PushSubscription.where(user: user).or(Web::PushSubscription.where(access_token: access_token)).count).to eq 0
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue