OpenCloud
/
mastodon
mirror of https://github.com/tootsuite/mastodon
1
1
Fork 0
Code Issues Releases Wiki Activity
mastodon/app/controllers/auth/passwords_controller.rb

30 lines
728 B
Ruby
Raw Normal View History

Fix rubocop issues, introduce usage of frozen literal to improve performance
2016-11-15 16:56:29 +01:00
# frozen_string_literal: true
Customizing devise views and controllers
2016-03-05 22:43:05 +01:00
class Auth::PasswordsController < Devise::PasswordsController
Add SELF_DESTRUCT env variable to process self-destructions in the background (#26439)
2023-10-23 17:46:21 +02:00
skip_before_action :check_self_destruct!
Fix `Style/GuardClause` cop in app/controllers (#28420)
2024-01-25 16:13:41 +01:00
before_action :redirect_invalid_reset_token, only: :edit, unless: :reset_password_token_is_valid?
Redirect to PasswordController#new when reset_password_token is invalid (#4506)
2017-08-03 17:45:45 +02:00
Customizing devise views and controllers
2016-03-05 22:43:05 +01:00
layout 'auth'
Redirect to PasswordController#new when reset_password_token is invalid (#4506)
2017-08-03 17:45:45 +02:00
Fix password change/reset not immediately invalidating other sessions (#12928) While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.
2020-01-24 00:20:38 +01:00
def update
super do |resource|
Fix other sessions not being logged out on password change (#14252) While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method
2020-07-07 15:26:31 +02:00
if resource.errors.empty?
resource.session_activations.destroy_all
Revoke all authorized applications on password reset (#21325) * Clear sessions on password change * Rename User::clear_sessions to revoke_access for a clearer meaning * Add reset paassword controller test * Use User.find instead of User.find_for_authentication for reset password test * Use redirect and render for better test meaning in reset password Co-authored-by: Effy Elden <effy@effy.space>
2022-12-15 15:47:06 +01:00
resource.revoke_access!
Fix other sessions not being logged out on password change (#14252) While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method
2020-07-07 15:26:31 +02:00
end
Fix password change/reset not immediately invalidating other sessions (#12928) While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.
2020-01-24 00:20:38 +01:00
end
end
Redirect to PasswordController#new when reset_password_token is invalid (#4506)
2017-08-03 17:45:45 +02:00
private
Fix `Style/GuardClause` cop in app/controllers (#28420)
2024-01-25 16:13:41 +01:00
def redirect_invalid_reset_token
flash[:error] = I18n.t('auth.invalid_reset_password_token')
redirect_to new_password_path(resource_name)
Redirect to PasswordController#new when reset_password_token is invalid (#4506)
2017-08-03 17:45:45 +02:00
end
def reset_password_token_is_valid?
resource_class.with_reset_password_token(params[:reset_password_token]).present?
end
Customizing devise views and controllers
2016-03-05 22:43:05 +01:00
end