From eacab0fb056ffc018b7e0abea27db7af435dc553 Mon Sep 17 00:00:00 2001 From: "Haelwenn (lanodan) Monnier" Date: Sun, 14 Oct 2018 01:45:11 +0200 Subject: [PATCH] Delete Tokens and Authorizations on password change Closes: https://git.pleroma.social/pleroma/pleroma/issues/320 --- lib/pleroma/user.ex | 5 +++- lib/pleroma/web/oauth/authorization.ex | 10 +++++++- lib/pleroma/web/oauth/token.ex | 10 ++++++++ test/web/oauth/authorization_test.exs | 22 ++++++++++++++++++ test/web/oauth/token_test.exs | 32 ++++++++++++++++++++++++++ 5 files changed, 77 insertions(+), 2 deletions(-) diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex index db6f96daa..e97224731 100644 --- a/lib/pleroma/user.ex +++ b/lib/pleroma/user.ex @@ -4,7 +4,7 @@ defmodule Pleroma.User do import Ecto.{Changeset, Query} alias Pleroma.{Repo, User, Object, Web, Activity, Notification} alias Comeonin.Pbkdf2 - alias Pleroma.Web.{OStatus, Websub} + alias Pleroma.Web.{OStatus, Websub, OAuth} alias Pleroma.Web.ActivityPub.{Utils, ActivityPub} schema "users" do @@ -132,6 +132,9 @@ def password_update_changeset(struct, params) do |> validate_required([:password, :password_confirmation]) |> validate_confirmation(:password) + OAuth.Token.delete_user_tokens(struct) + OAuth.Authorization.delete_user_authorizations(struct) + if changeset.valid? do hashed = Pbkdf2.hashpwsalt(changeset.changes[:password]) diff --git a/lib/pleroma/web/oauth/authorization.ex b/lib/pleroma/web/oauth/authorization.ex index 23e8eb7b1..2cad4550a 100644 --- a/lib/pleroma/web/oauth/authorization.ex +++ b/lib/pleroma/web/oauth/authorization.ex @@ -4,7 +4,7 @@ defmodule Pleroma.Web.OAuth.Authorization do alias Pleroma.{User, Repo} alias Pleroma.Web.OAuth.{Authorization, App} - import Ecto.{Changeset} + import Ecto.{Changeset, Query} schema "oauth_authorizations" do field(:token, :string) @@ -45,4 +45,12 @@ def use_token(%Authorization{used: false, valid_until: valid_until} = auth) do end def use_token(%Authorization{used: true}), do: {:error, "already used"} + + def delete_user_authorizations(%User{id: user_id}) do + from( + a in Pleroma.Web.OAuth.Authorization, + where: a.user_id == ^user_id + ) + |> Repo.delete_all() + end end diff --git a/lib/pleroma/web/oauth/token.ex b/lib/pleroma/web/oauth/token.ex index 343fc0c45..a77d5af35 100644 --- a/lib/pleroma/web/oauth/token.ex +++ b/lib/pleroma/web/oauth/token.ex @@ -1,6 +1,8 @@ defmodule Pleroma.Web.OAuth.Token do use Ecto.Schema + import Ecto.Query + alias Pleroma.{User, Repo} alias Pleroma.Web.OAuth.{Token, App, Authorization} @@ -35,4 +37,12 @@ def create_token(%App{} = app, %User{} = user) do Repo.insert(token) end + + def delete_user_tokens(%User{id: user_id}) do + from( + t in Pleroma.Web.OAuth.Token, + where: t.user_id == ^user_id + ) + |> Repo.delete_all() + end end diff --git a/test/web/oauth/authorization_test.exs b/test/web/oauth/authorization_test.exs index 4a9e2a3ac..98c7c4133 100644 --- a/test/web/oauth/authorization_test.exs +++ b/test/web/oauth/authorization_test.exs @@ -55,4 +55,26 @@ test "use up a token" do assert {:error, "token expired"} == Authorization.use_token(expired_auth) end + + test "delete authorizations" do + {:ok, app} = + Repo.insert( + App.register_changeset(%App{}, %{ + client_name: "client", + scopes: "scope", + redirect_uris: "url" + }) + ) + + user = insert(:user) + + {:ok, auth} = Authorization.create_authorization(app, user) + {:ok, auth} = Authorization.use_token(auth) + + {auths, _} = Authorization.delete_user_authorizations(user) + + {_, invalid} = Authorization.use_token(auth) + + assert auth != invalid + end end diff --git a/test/web/oauth/token_test.exs b/test/web/oauth/token_test.exs index 58448949c..f926ff50b 100644 --- a/test/web/oauth/token_test.exs +++ b/test/web/oauth/token_test.exs @@ -29,4 +29,36 @@ test "exchanges a auth token for an access token" do auth = Repo.get(Authorization, auth.id) {:error, "already used"} = Token.exchange_token(app, auth) end + + test "deletes all tokens of a user" do + {:ok, app1} = + Repo.insert( + App.register_changeset(%App{}, %{ + client_name: "client1", + scopes: "scope", + redirect_uris: "url" + }) + ) + + {:ok, app2} = + Repo.insert( + App.register_changeset(%App{}, %{ + client_name: "client2", + scopes: "scope", + redirect_uris: "url" + }) + ) + + user = insert(:user) + + {:ok, auth1} = Authorization.create_authorization(app1, user) + {:ok, auth2} = Authorization.create_authorization(app2, user) + + {:ok, token1} = Token.exchange_token(app1, auth1) + {:ok, token2} = Token.exchange_token(app2, auth2) + + {tokens, _} = Token.delete_user_tokens(user) + + assert tokens == 2 + end end