forked from fedi/mastodon
daf71573d0
While making browser requests in the other sessions after a password change or reset does not allow you to be logged in and correctly invalidates the session making the request, sessions have API tokens associated with them, which can still be used until that session is invalidated. This is a security issue for accounts that were already compromised some other way because it makes it harder to throw out the hijacker.
32 lines
761 B
Ruby
32 lines
761 B
Ruby
# frozen_string_literal: true
|
|
|
|
class Auth::PasswordsController < Devise::PasswordsController
|
|
before_action :check_validity_of_reset_password_token, only: :edit
|
|
before_action :set_body_classes
|
|
|
|
layout 'auth'
|
|
|
|
def update
|
|
super do |resource|
|
|
resource.session_activations.destroy_all if resource.errors.empty?
|
|
end
|
|
end
|
|
|
|
private
|
|
|
|
def check_validity_of_reset_password_token
|
|
unless reset_password_token_is_valid?
|
|
flash[:error] = I18n.t('auth.invalid_reset_password_token')
|
|
redirect_to new_password_path(resource_name)
|
|
end
|
|
end
|
|
|
|
def set_body_classes
|
|
@body_classes = 'lighter'
|
|
end
|
|
|
|
def reset_password_token_is_valid?
|
|
resource_class.with_reset_password_token(params[:reset_password_token]).present?
|
|
end
|
|
end
|