Merge branch 'security/clear-oauth-with-password' into 'develop'
Delete Tokens and Authorizations on password change Closes #320 See merge request pleroma/pleroma!375
This commit is contained in:
commit
e0c035589a
5 changed files with 77 additions and 2 deletions
|
@ -4,7 +4,7 @@ defmodule Pleroma.User do
|
||||||
import Ecto.{Changeset, Query}
|
import Ecto.{Changeset, Query}
|
||||||
alias Pleroma.{Repo, User, Object, Web, Activity, Notification}
|
alias Pleroma.{Repo, User, Object, Web, Activity, Notification}
|
||||||
alias Comeonin.Pbkdf2
|
alias Comeonin.Pbkdf2
|
||||||
alias Pleroma.Web.{OStatus, Websub}
|
alias Pleroma.Web.{OStatus, Websub, OAuth}
|
||||||
alias Pleroma.Web.ActivityPub.{Utils, ActivityPub}
|
alias Pleroma.Web.ActivityPub.{Utils, ActivityPub}
|
||||||
|
|
||||||
schema "users" do
|
schema "users" do
|
||||||
|
@ -132,6 +132,9 @@ def password_update_changeset(struct, params) do
|
||||||
|> validate_required([:password, :password_confirmation])
|
|> validate_required([:password, :password_confirmation])
|
||||||
|> validate_confirmation(:password)
|
|> validate_confirmation(:password)
|
||||||
|
|
||||||
|
OAuth.Token.delete_user_tokens(struct)
|
||||||
|
OAuth.Authorization.delete_user_authorizations(struct)
|
||||||
|
|
||||||
if changeset.valid? do
|
if changeset.valid? do
|
||||||
hashed = Pbkdf2.hashpwsalt(changeset.changes[:password])
|
hashed = Pbkdf2.hashpwsalt(changeset.changes[:password])
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,7 @@ defmodule Pleroma.Web.OAuth.Authorization do
|
||||||
alias Pleroma.{User, Repo}
|
alias Pleroma.{User, Repo}
|
||||||
alias Pleroma.Web.OAuth.{Authorization, App}
|
alias Pleroma.Web.OAuth.{Authorization, App}
|
||||||
|
|
||||||
import Ecto.{Changeset}
|
import Ecto.{Changeset, Query}
|
||||||
|
|
||||||
schema "oauth_authorizations" do
|
schema "oauth_authorizations" do
|
||||||
field(:token, :string)
|
field(:token, :string)
|
||||||
|
@ -45,4 +45,12 @@ def use_token(%Authorization{used: false, valid_until: valid_until} = auth) do
|
||||||
end
|
end
|
||||||
|
|
||||||
def use_token(%Authorization{used: true}), do: {:error, "already used"}
|
def use_token(%Authorization{used: true}), do: {:error, "already used"}
|
||||||
|
|
||||||
|
def delete_user_authorizations(%User{id: user_id}) do
|
||||||
|
from(
|
||||||
|
a in Pleroma.Web.OAuth.Authorization,
|
||||||
|
where: a.user_id == ^user_id
|
||||||
|
)
|
||||||
|
|> Repo.delete_all()
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -1,6 +1,8 @@
|
||||||
defmodule Pleroma.Web.OAuth.Token do
|
defmodule Pleroma.Web.OAuth.Token do
|
||||||
use Ecto.Schema
|
use Ecto.Schema
|
||||||
|
|
||||||
|
import Ecto.Query
|
||||||
|
|
||||||
alias Pleroma.{User, Repo}
|
alias Pleroma.{User, Repo}
|
||||||
alias Pleroma.Web.OAuth.{Token, App, Authorization}
|
alias Pleroma.Web.OAuth.{Token, App, Authorization}
|
||||||
|
|
||||||
|
@ -35,4 +37,12 @@ def create_token(%App{} = app, %User{} = user) do
|
||||||
|
|
||||||
Repo.insert(token)
|
Repo.insert(token)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def delete_user_tokens(%User{id: user_id}) do
|
||||||
|
from(
|
||||||
|
t in Pleroma.Web.OAuth.Token,
|
||||||
|
where: t.user_id == ^user_id
|
||||||
|
)
|
||||||
|
|> Repo.delete_all()
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -55,4 +55,26 @@ test "use up a token" do
|
||||||
|
|
||||||
assert {:error, "token expired"} == Authorization.use_token(expired_auth)
|
assert {:error, "token expired"} == Authorization.use_token(expired_auth)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "delete authorizations" do
|
||||||
|
{:ok, app} =
|
||||||
|
Repo.insert(
|
||||||
|
App.register_changeset(%App{}, %{
|
||||||
|
client_name: "client",
|
||||||
|
scopes: "scope",
|
||||||
|
redirect_uris: "url"
|
||||||
|
})
|
||||||
|
)
|
||||||
|
|
||||||
|
user = insert(:user)
|
||||||
|
|
||||||
|
{:ok, auth} = Authorization.create_authorization(app, user)
|
||||||
|
{:ok, auth} = Authorization.use_token(auth)
|
||||||
|
|
||||||
|
{auths, _} = Authorization.delete_user_authorizations(user)
|
||||||
|
|
||||||
|
{_, invalid} = Authorization.use_token(auth)
|
||||||
|
|
||||||
|
assert auth != invalid
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -29,4 +29,36 @@ test "exchanges a auth token for an access token" do
|
||||||
auth = Repo.get(Authorization, auth.id)
|
auth = Repo.get(Authorization, auth.id)
|
||||||
{:error, "already used"} = Token.exchange_token(app, auth)
|
{:error, "already used"} = Token.exchange_token(app, auth)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test "deletes all tokens of a user" do
|
||||||
|
{:ok, app1} =
|
||||||
|
Repo.insert(
|
||||||
|
App.register_changeset(%App{}, %{
|
||||||
|
client_name: "client1",
|
||||||
|
scopes: "scope",
|
||||||
|
redirect_uris: "url"
|
||||||
|
})
|
||||||
|
)
|
||||||
|
|
||||||
|
{:ok, app2} =
|
||||||
|
Repo.insert(
|
||||||
|
App.register_changeset(%App{}, %{
|
||||||
|
client_name: "client2",
|
||||||
|
scopes: "scope",
|
||||||
|
redirect_uris: "url"
|
||||||
|
})
|
||||||
|
)
|
||||||
|
|
||||||
|
user = insert(:user)
|
||||||
|
|
||||||
|
{:ok, auth1} = Authorization.create_authorization(app1, user)
|
||||||
|
{:ok, auth2} = Authorization.create_authorization(app2, user)
|
||||||
|
|
||||||
|
{:ok, token1} = Token.exchange_token(app1, auth1)
|
||||||
|
{:ok, token2} = Token.exchange_token(app2, auth2)
|
||||||
|
|
||||||
|
{tokens, _} = Token.delete_user_tokens(user)
|
||||||
|
|
||||||
|
assert tokens == 2
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue