Merge branch 'security/clear-oauth-with-password' into 'develop'
Delete Tokens and Authorizations on password change Closes #320 See merge request pleroma/pleroma!375
This commit is contained in:
commit
e0c035589a
5 changed files with 77 additions and 2 deletions
|
@ -4,7 +4,7 @@ defmodule Pleroma.User do
|
|||
import Ecto.{Changeset, Query}
|
||||
alias Pleroma.{Repo, User, Object, Web, Activity, Notification}
|
||||
alias Comeonin.Pbkdf2
|
||||
alias Pleroma.Web.{OStatus, Websub}
|
||||
alias Pleroma.Web.{OStatus, Websub, OAuth}
|
||||
alias Pleroma.Web.ActivityPub.{Utils, ActivityPub}
|
||||
|
||||
schema "users" do
|
||||
|
@ -132,6 +132,9 @@ def password_update_changeset(struct, params) do
|
|||
|> validate_required([:password, :password_confirmation])
|
||||
|> validate_confirmation(:password)
|
||||
|
||||
OAuth.Token.delete_user_tokens(struct)
|
||||
OAuth.Authorization.delete_user_authorizations(struct)
|
||||
|
||||
if changeset.valid? do
|
||||
hashed = Pbkdf2.hashpwsalt(changeset.changes[:password])
|
||||
|
||||
|
|
|
@ -4,7 +4,7 @@ defmodule Pleroma.Web.OAuth.Authorization do
|
|||
alias Pleroma.{User, Repo}
|
||||
alias Pleroma.Web.OAuth.{Authorization, App}
|
||||
|
||||
import Ecto.{Changeset}
|
||||
import Ecto.{Changeset, Query}
|
||||
|
||||
schema "oauth_authorizations" do
|
||||
field(:token, :string)
|
||||
|
@ -45,4 +45,12 @@ def use_token(%Authorization{used: false, valid_until: valid_until} = auth) do
|
|||
end
|
||||
|
||||
def use_token(%Authorization{used: true}), do: {:error, "already used"}
|
||||
|
||||
def delete_user_authorizations(%User{id: user_id}) do
|
||||
from(
|
||||
a in Pleroma.Web.OAuth.Authorization,
|
||||
where: a.user_id == ^user_id
|
||||
)
|
||||
|> Repo.delete_all()
|
||||
end
|
||||
end
|
||||
|
|
|
@ -1,6 +1,8 @@
|
|||
defmodule Pleroma.Web.OAuth.Token do
|
||||
use Ecto.Schema
|
||||
|
||||
import Ecto.Query
|
||||
|
||||
alias Pleroma.{User, Repo}
|
||||
alias Pleroma.Web.OAuth.{Token, App, Authorization}
|
||||
|
||||
|
@ -35,4 +37,12 @@ def create_token(%App{} = app, %User{} = user) do
|
|||
|
||||
Repo.insert(token)
|
||||
end
|
||||
|
||||
def delete_user_tokens(%User{id: user_id}) do
|
||||
from(
|
||||
t in Pleroma.Web.OAuth.Token,
|
||||
where: t.user_id == ^user_id
|
||||
)
|
||||
|> Repo.delete_all()
|
||||
end
|
||||
end
|
||||
|
|
|
@ -55,4 +55,26 @@ test "use up a token" do
|
|||
|
||||
assert {:error, "token expired"} == Authorization.use_token(expired_auth)
|
||||
end
|
||||
|
||||
test "delete authorizations" do
|
||||
{:ok, app} =
|
||||
Repo.insert(
|
||||
App.register_changeset(%App{}, %{
|
||||
client_name: "client",
|
||||
scopes: "scope",
|
||||
redirect_uris: "url"
|
||||
})
|
||||
)
|
||||
|
||||
user = insert(:user)
|
||||
|
||||
{:ok, auth} = Authorization.create_authorization(app, user)
|
||||
{:ok, auth} = Authorization.use_token(auth)
|
||||
|
||||
{auths, _} = Authorization.delete_user_authorizations(user)
|
||||
|
||||
{_, invalid} = Authorization.use_token(auth)
|
||||
|
||||
assert auth != invalid
|
||||
end
|
||||
end
|
||||
|
|
|
@ -29,4 +29,36 @@ test "exchanges a auth token for an access token" do
|
|||
auth = Repo.get(Authorization, auth.id)
|
||||
{:error, "already used"} = Token.exchange_token(app, auth)
|
||||
end
|
||||
|
||||
test "deletes all tokens of a user" do
|
||||
{:ok, app1} =
|
||||
Repo.insert(
|
||||
App.register_changeset(%App{}, %{
|
||||
client_name: "client1",
|
||||
scopes: "scope",
|
||||
redirect_uris: "url"
|
||||
})
|
||||
)
|
||||
|
||||
{:ok, app2} =
|
||||
Repo.insert(
|
||||
App.register_changeset(%App{}, %{
|
||||
client_name: "client2",
|
||||
scopes: "scope",
|
||||
redirect_uris: "url"
|
||||
})
|
||||
)
|
||||
|
||||
user = insert(:user)
|
||||
|
||||
{:ok, auth1} = Authorization.create_authorization(app1, user)
|
||||
{:ok, auth2} = Authorization.create_authorization(app2, user)
|
||||
|
||||
{:ok, token1} = Token.exchange_token(app1, auth1)
|
||||
{:ok, token2} = Token.exchange_token(app2, auth2)
|
||||
|
||||
{tokens, _} = Token.delete_user_tokens(user)
|
||||
|
||||
assert tokens == 2
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue