From 2a3f71a9a1717c420c047dc379d3367858c82391 Mon Sep 17 00:00:00 2001 From: Sam Date: Wed, 15 Apr 2015 08:57:43 +1000 Subject: [PATCH] SECURITY: log off all existing sessions when resetting password --- app/controllers/users_controller.rb | 1 + spec/controllers/users_controller_spec.rb | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 23dfb4870..137cf9d6b 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -321,6 +321,7 @@ class UsersController < ApplicationController else @user.password = params[:password] @user.password_required! + @user.auth_token = nil if @user.save Invite.invalidate_for_email(@user.email) # invite link can't be used to log in anymore logon_after_password_reset diff --git a/spec/controllers/users_controller_spec.rb b/spec/controllers/users_controller_spec.rb index 159e007c7..39e4aae8e 100644 --- a/spec/controllers/users_controller_spec.rb +++ b/spec/controllers/users_controller_spec.rb @@ -266,13 +266,19 @@ describe UsersController do context 'valid token' do it 'returns success' do - user = Fabricate(:user) + user = Fabricate(:user, auth_token: SecureRandom.hex(16)) token = user.email_tokens.create(email: user.email).token + old_token = user.auth_token + get :password_reset, token: token put :password_reset, token: token, password: 'newpassword' expect(response).to be_success expect(assigns[:error]).to be_blank + + user.reload + expect(user.auth_token).to_not eq old_token + expect(user.auth_token.length).to eq 32 end end