Merge branch 'security/clear-oauth-with-password' into 'develop'

Delete Tokens and Authorizations on password change

Closes #320

See merge request pleroma/pleroma!375
This commit is contained in:
kaniini 2018-10-14 19:29:58 +00:00
commit e0c035589a
5 changed files with 77 additions and 2 deletions

View file

@ -4,7 +4,7 @@ defmodule Pleroma.User do
import Ecto.{Changeset, Query}
alias Pleroma.{Repo, User, Object, Web, Activity, Notification}
alias Comeonin.Pbkdf2
alias Pleroma.Web.{OStatus, Websub}
alias Pleroma.Web.{OStatus, Websub, OAuth}
alias Pleroma.Web.ActivityPub.{Utils, ActivityPub}
schema "users" do
@ -132,6 +132,9 @@ def password_update_changeset(struct, params) do
|> validate_required([:password, :password_confirmation])
|> validate_confirmation(:password)
OAuth.Token.delete_user_tokens(struct)
OAuth.Authorization.delete_user_authorizations(struct)
if changeset.valid? do
hashed = Pbkdf2.hashpwsalt(changeset.changes[:password])

View file

@ -4,7 +4,7 @@ defmodule Pleroma.Web.OAuth.Authorization do
alias Pleroma.{User, Repo}
alias Pleroma.Web.OAuth.{Authorization, App}
import Ecto.{Changeset}
import Ecto.{Changeset, Query}
schema "oauth_authorizations" do
field(:token, :string)
@ -45,4 +45,12 @@ def use_token(%Authorization{used: false, valid_until: valid_until} = auth) do
end
def use_token(%Authorization{used: true}), do: {:error, "already used"}
def delete_user_authorizations(%User{id: user_id}) do
from(
a in Pleroma.Web.OAuth.Authorization,
where: a.user_id == ^user_id
)
|> Repo.delete_all()
end
end

View file

@ -1,6 +1,8 @@
defmodule Pleroma.Web.OAuth.Token do
use Ecto.Schema
import Ecto.Query
alias Pleroma.{User, Repo}
alias Pleroma.Web.OAuth.{Token, App, Authorization}
@ -35,4 +37,12 @@ def create_token(%App{} = app, %User{} = user) do
Repo.insert(token)
end
def delete_user_tokens(%User{id: user_id}) do
from(
t in Pleroma.Web.OAuth.Token,
where: t.user_id == ^user_id
)
|> Repo.delete_all()
end
end

View file

@ -55,4 +55,26 @@ test "use up a token" do
assert {:error, "token expired"} == Authorization.use_token(expired_auth)
end
test "delete authorizations" do
{:ok, app} =
Repo.insert(
App.register_changeset(%App{}, %{
client_name: "client",
scopes: "scope",
redirect_uris: "url"
})
)
user = insert(:user)
{:ok, auth} = Authorization.create_authorization(app, user)
{:ok, auth} = Authorization.use_token(auth)
{auths, _} = Authorization.delete_user_authorizations(user)
{_, invalid} = Authorization.use_token(auth)
assert auth != invalid
end
end

View file

@ -29,4 +29,36 @@ test "exchanges a auth token for an access token" do
auth = Repo.get(Authorization, auth.id)
{:error, "already used"} = Token.exchange_token(app, auth)
end
test "deletes all tokens of a user" do
{:ok, app1} =
Repo.insert(
App.register_changeset(%App{}, %{
client_name: "client1",
scopes: "scope",
redirect_uris: "url"
})
)
{:ok, app2} =
Repo.insert(
App.register_changeset(%App{}, %{
client_name: "client2",
scopes: "scope",
redirect_uris: "url"
})
)
user = insert(:user)
{:ok, auth1} = Authorization.create_authorization(app1, user)
{:ok, auth2} = Authorization.create_authorization(app2, user)
{:ok, token1} = Token.exchange_token(app1, auth1)
{:ok, token2} = Token.exchange_token(app2, auth2)
{tokens, _} = Token.delete_user_tokens(user)
assert tokens == 2
end
end