Fix other sessions not being logged out on password change (#14252)

While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method
3 years ago · 844870273f
3 changed files with 14 additions and 3 deletions
--- a/app/controllers/auth/passwords_controller.rb
+++ b/app/controllers/auth/passwords_controller.rb
@ -8,7 +8,10 @@ class Auth::PasswordsController < Devise::PasswordsController
				@@ -8,7 +8,10 @@ class Auth::PasswordsController < Devise::PasswordsController

  def update
    super do |resource|
-      resource.session_activations.destroy_all if resource.errors.empty?
+      if resource.errors.empty?
+        resource.session_activations.destroy_all
+        resource.forget_me!
+      end
    end
  end

--- a/app/controllers/auth/registrations_controller.rb
+++ b/app/controllers/auth/registrations_controller.rb
@ -1,6 +1,8 @@
				@@ -1,6 +1,8 @@
 # frozen_string_literal: true

 class Auth::RegistrationsController < Devise::RegistrationsController
+  include Devise::Controllers::Rememberable
+
  layout :determine_layout

  before_action :set_invite, only: [:new, :create]
@ -24,7 +26,11 @@ class Auth::RegistrationsController < Devise::RegistrationsController
				@@ -24,7 +26,11 @@ class Auth::RegistrationsController < Devise::RegistrationsController

  def update
    super do |resource|
-      resource.clear_other_sessions(current_session.session_id) if resource.saved_change_to_encrypted_password?
+      if resource.saved_change_to_encrypted_password?
+        resource.clear_other_sessions(current_session.session_id)
+        resource.forget_me!
+        remember_me(resource)
+      end
    end
  end

--- a/app/controllers/home_controller.rb
+++ b/app/controllers/home_controller.rb
@ -1,6 +1,7 @@
				@@ -1,6 +1,7 @@
 # frozen_string_literal: true

 class HomeController < ApplicationController
+  before_action :redirect_unauthenticated_to_permalinks!
  before_action :authenticate_user!
  before_action :set_referrer_policy_header

@ -10,7 +11,7 @@ class HomeController < ApplicationController
				@@ -10,7 +11,7 @@ class HomeController < ApplicationController

  private

-  def authenticate_user!
+  def redirect_unauthenticated_to_permalinks!
    return if user_signed_in?

    matches = request.path.match(/\A\/web\/(statuses|accounts)\/([\d]+)\z/)
@ -35,6 +36,7 @@ class HomeController < ApplicationController
				@@ -35,6 +36,7 @@ class HomeController < ApplicationController
    end

    matches = request.path.match(%r{\A/web/timelines/tag/(?<tag>.+)\z})
+
    redirect_to(matches ? tag_path(CGI.unescape(matches[:tag])) : default_redirect_path)
  end