sunoru/mastodon
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Fix other sessions not being logged out on password change (#14252)

Browse source 
While OAuth tokens were immediately revoked, accessing the home
controller immediately generated new OAuth tokens and "revived"
the session due to a combination of using remember_me tokens and
overwriting the `authenticate_user!` method
This commit is contained in:
Eugen Rochko 2020-07-07 15:26:31 +02:00 committed by GitHub
parent 1c903c7ad6
commit 844870273f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 14 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

5
app/controllers/auth/passwords_controller.rb
View file

@ -8,7 +8,10 @@ class Auth::PasswordsController < Devise::PasswordsController
def update
super do |resource|
resource.session_activations.destroy_all if resource.errors.empty?
if resource.errors.empty?
resource.session_activations.destroy_all
resource.forget_me!
end
end
end