Fix password change/reset not immediately invalidating other sessions (#12928)

While making browser requests in the other sessions after a password
change or reset does not allow you to be logged in and correctly
invalidates the session making the request, sessions have API tokens
associated with them, which can still be used until that session
is invalidated.

This is a security issue for accounts that were already compromised
some other way because it makes it harder to throw out the hijacker.
remotes/1727458204337373841/tmp_refs/heads/signup-info-prompt
Eugen Rochko 2020-01-24 00:20:38 +01:00 committed by GitHub
parent ce1dee85b5
commit daf71573d0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 14 additions and 1 deletions

View File

@ -6,6 +6,12 @@ class Auth::PasswordsController < Devise::PasswordsController
layout 'auth' layout 'auth'
def update
super do |resource|
resource.session_activations.destroy_all if resource.errors.empty?
end
end
private private
def check_validity_of_reset_password_token def check_validity_of_reset_password_token

View File

@ -22,10 +22,17 @@ class Auth::RegistrationsController < Devise::RegistrationsController
not_found not_found
end end
def update
super do |resource|
resource.clear_other_sessions(current_session.session_id) if resource.saved_change_to_encrypted_password?
end
end
protected protected
def update_resource(resource, params) def update_resource(resource, params)
params[:password] = nil if Devise.pam_authentication && resource.encrypted_password.blank? params[:password] = nil if Devise.pam_authentication && resource.encrypted_password.blank?
super super
end end

View File

@ -247,7 +247,7 @@ class User < ApplicationRecord
ip: request.remote_ip).session_id ip: request.remote_ip).session_id
end end
def exclusive_session(id) def clear_other_sessions(id)
session_activations.exclusive(id) session_activations.exclusive(id)
end end