clear sessions on password reset

2024-09-16 02:52:31 -04:00 · 2016-07-05 14:19:59 +01:00 · 2016-07-05 14:19:59 +01:00 · 6e282ab308
commit 6e282ab308
parent bec3d2ad42
2 changed files with 20 additions and 7 deletions
--- a/services/web/app/coffee/Features/PasswordReset/PasswordResetController.coffee
+++ b/services/web/app/coffee/Features/PasswordReset/PasswordResetController.coffee
@ -2,6 +2,7 @@ PasswordResetHandler = require("./PasswordResetHandler")
 RateLimiter = require("../../infrastructure/RateLimiter")
 AuthenticationController = require("../Authentication/AuthenticationController")
 UserGetter = require("../User/UserGetter")
+UserSessionsManager = require("../User/UserSessionsManager")
 logger = require "logger-sharelatex"

 module.exports =
@ -47,11 +48,13 @@ module.exports =
 		PasswordResetHandler.setNewUserPassword passwordResetToken?.trim(), password?.trim(), (err, found, user_id) ->
 			return next(err) if err?
 			if found
-				if req.body.login_after
-					UserGetter.getUser user_id, {email: 1}, (err, user) ->
-						return next(err) if err?
-						AuthenticationController.doLogin {email:user.email, password: password}, req, res, next
-				else
-					res.sendStatus 200
+				UserSessionsManager.revokeAllUserSessions {_id: user_id}, [], (err) ->
+					return next(err) if err?
+					if req.body.login_after
+						UserGetter.getUser user_id, {email: 1}, (err, user) ->
+							return next(err) if err?
+							AuthenticationController.doLogin {email:user.email, password: password}, req, res, next
+					else
+						res.sendStatus 200
 			else
 				res.sendStatus 404
--- a/services/web/test/UnitTests/coffee/PasswordReset/PasswordResetControllerTests.coffee
+++ b/services/web/test/UnitTests/coffee/PasswordReset/PasswordResetControllerTests.coffee
@ -17,6 +17,8 @@ describe "PasswordResetController", ->
 			setNewUserPassword:sinon.stub()
 		@RateLimiter =
 			addCount: sinon.stub()
+		@UserSessionsManager =
+			revokeAllUserSessions: sinon.stub().callsArgWith(2, null)
 		@PasswordResetController = SandboxedModule.require modulePath, requires:
 			"settings-sharelatex":@settings
 			"./PasswordResetHandler":@PasswordResetHandler
@ -24,6 +26,7 @@ describe "PasswordResetController", ->
 			"../../infrastructure/RateLimiter":@RateLimiter
 			"../Authentication/AuthenticationController": @AuthenticationController = {}
 			"../User/UserGetter": @UserGetter = {}
+			"../User/UserSessionsManager": @UserSessionsManager

 		@email = "bob@bob.com "
 		@token = "my security token that was emailed to me"
@ -134,7 +137,14 @@ describe "PasswordResetController", ->
 				@req.session.should.not.have.property 'resetToken'
 				done()
 			@PasswordResetController.setNewUserPassword @req, @res
-		
+
+		it 'should clear sessions', (done) ->
+			@PasswordResetHandler.setNewUserPassword.callsArgWith(2, null, true)
+			@res.sendStatus = (code)=>
+				@UserSessionsManager.revokeAllUserSessions.callCount.should.equal 1
+				done()
+			@PasswordResetController.setNewUserPassword @req, @res
+
 		it "should login user if login_after is set", (done) ->
 			@UserGetter.getUser = sinon.stub().callsArgWith(2, null, { email: "joe@example.com" })
 			@PasswordResetHandler.setNewUserPassword.callsArgWith(2, null, true, @user_id = "user-id-123")