Fix other sessions not being logged out on password change

While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method
2020-06-23 02:57:00 +02:00 · 2020-06-23 02:57:00 +02:00 · fa3f78e4bf
commit fa3f78e4bf
parent c9dcc2d39f
3 changed files with 14 additions and 3 deletions
--- a/app/controllers/auth/passwords_controller.rb
+++ b/app/controllers/auth/passwords_controller.rb
@ -8,7 +8,10 @@ class Auth::PasswordsController < Devise::PasswordsController

  def update
    super do |resource|
-      resource.session_activations.destroy_all if resource.errors.empty?
+      if resource.errors.empty?
+        resource.session_activations.destroy_all
+        resource.forget_me!
+      end
    end
  end

--- a/app/controllers/auth/registrations_controller.rb
+++ b/app/controllers/auth/registrations_controller.rb
@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class Auth::RegistrationsController < Devise::RegistrationsController
+  include Devise::Controllers::Rememberable
+
  layout :determine_layout

  before_action :set_invite, only: [:new, :create]
@ -24,7 +26,11 @@ class Auth::RegistrationsController < Devise::RegistrationsController

  def update
    super do |resource|
-      resource.clear_other_sessions(current_session.session_id) if resource.saved_change_to_encrypted_password?
+      if resource.saved_change_to_encrypted_password?
+        resource.clear_other_sessions(current_session.session_id)
+        resource.forget_me!
+        remember_me(resource)
+      end
    end
  end

--- a/app/controllers/home_controller.rb
+++ b/app/controllers/home_controller.rb
@ -1,6 +1,7 @@
 # frozen_string_literal: true

 class HomeController < ApplicationController
+  before_action :redirect_unauthenticated_to_permalinks!
  before_action :authenticate_user!
  before_action :set_referrer_policy_header

@ -10,7 +11,7 @@ class HomeController < ApplicationController

  private

-  def authenticate_user!
+  def redirect_unauthenticated_to_permalinks!
    return if user_signed_in?

    matches = request.path.match(/\A\/web\/(statuses|accounts)\/([\d]+)\z/)
@ -35,6 +36,7 @@ class HomeController < ApplicationController
    end

    matches = request.path.match(%r{\A/web/timelines/tag/(?<tag>.+)\z})
+
    redirect_to(matches ? tag_path(CGI.unescape(matches[:tag])) : default_redirect_path)
  end