Commit e0c03558 authored by kaniini's avatar kaniini

Merge branch 'security/clear-oauth-with-password' into 'develop'

Delete Tokens and Authorizations on password change

Closes #320

See merge request pleroma/pleroma!375
parents 117e0054 eacab0fb
......@@ -4,7 +4,7 @@ defmodule Pleroma.User do
import Ecto.{Changeset, Query}
alias Pleroma.{Repo, User, Object, Web, Activity, Notification}
alias Comeonin.Pbkdf2
alias Pleroma.Web.{OStatus, Websub}
alias Pleroma.Web.{OStatus, Websub, OAuth}
alias Pleroma.Web.ActivityPub.{Utils, ActivityPub}
schema "users" do
......@@ -132,6 +132,9 @@ defmodule Pleroma.User do
|> validate_required([:password, :password_confirmation])
|> validate_confirmation(:password)
OAuth.Token.delete_user_tokens(struct)
OAuth.Authorization.delete_user_authorizations(struct)
if changeset.valid? do
hashed = Pbkdf2.hashpwsalt(changeset.changes[:password])
......
......@@ -4,7 +4,7 @@ defmodule Pleroma.Web.OAuth.Authorization do
alias Pleroma.{User, Repo}
alias Pleroma.Web.OAuth.{Authorization, App}
import Ecto.{Changeset}
import Ecto.{Changeset, Query}
schema "oauth_authorizations" do
field(:token, :string)
......@@ -45,4 +45,12 @@ defmodule Pleroma.Web.OAuth.Authorization do
end
def use_token(%Authorization{used: true}), do: {:error, "already used"}
def delete_user_authorizations(%User{id: user_id}) do
from(
a in Pleroma.Web.OAuth.Authorization,
where: a.user_id == ^user_id
)
|> Repo.delete_all()
end
end
defmodule Pleroma.Web.OAuth.Token do
use Ecto.Schema
import Ecto.Query
alias Pleroma.{User, Repo}
alias Pleroma.Web.OAuth.{Token, App, Authorization}
......@@ -35,4 +37,12 @@ defmodule Pleroma.Web.OAuth.Token do
Repo.insert(token)
end
def delete_user_tokens(%User{id: user_id}) do
from(
t in Pleroma.Web.OAuth.Token,
where: t.user_id == ^user_id
)
|> Repo.delete_all()
end
end
......@@ -55,4 +55,26 @@ defmodule Pleroma.Web.OAuth.AuthorizationTest do
assert {:error, "token expired"} == Authorization.use_token(expired_auth)
end
test "delete authorizations" do
{:ok, app} =
Repo.insert(
App.register_changeset(%App{}, %{
client_name: "client",
scopes: "scope",
redirect_uris: "url"
})
)
user = insert(:user)
{:ok, auth} = Authorization.create_authorization(app, user)
{:ok, auth} = Authorization.use_token(auth)
{auths, _} = Authorization.delete_user_authorizations(user)
{_, invalid} = Authorization.use_token(auth)
assert auth != invalid
end
end
......@@ -29,4 +29,36 @@ defmodule Pleroma.Web.OAuth.TokenTest do
auth = Repo.get(Authorization, auth.id)
{:error, "already used"} = Token.exchange_token(app, auth)
end
test "deletes all tokens of a user" do
{:ok, app1} =
Repo.insert(
App.register_changeset(%App{}, %{
client_name: "client1",
scopes: "scope",
redirect_uris: "url"
})
)
{:ok, app2} =
Repo.insert(
App.register_changeset(%App{}, %{
client_name: "client2",
scopes: "scope",
redirect_uris: "url"
})
)
user = insert(:user)
{:ok, auth1} = Authorization.create_authorization(app1, user)
{:ok, auth2} = Authorization.create_authorization(app2, user)
{:ok, token1} = Token.exchange_token(app1, auth1)
{:ok, token2} = Token.exchange_token(app2, auth2)
{tokens, _} = Token.delete_user_tokens(user)
assert tokens == 2
end
end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment