diff options
author | Eugen Rochko <eugen@zeonfederated.com> | 2020-07-07 15:26:31 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-07-07 15:26:31 +0200 |
commit | 844870273ffb1a663c768494c265caef6768ff83 (patch) | |
tree | 8edd28a8130e478fd9d396a075e9ca62e5f47be3 /app/controllers/auth/passwords_controller.rb | |
parent | 1c903c7ad64221ea4102404e1efbc5d1ac3cc076 (diff) |
Fix other sessions not being logged out on password change (#14252)
While OAuth tokens were immediately revoked, accessing the home controller immediately generated new OAuth tokens and "revived" the session due to a combination of using remember_me tokens and overwriting the `authenticate_user!` method
Diffstat (limited to 'app/controllers/auth/passwords_controller.rb')
-rw-r--r-- | app/controllers/auth/passwords_controller.rb | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/app/controllers/auth/passwords_controller.rb b/app/controllers/auth/passwords_controller.rb index b98bcecd0..5db2668f7 100644 --- a/app/controllers/auth/passwords_controller.rb +++ b/app/controllers/auth/passwords_controller.rb @@ -8,7 +8,10 @@ class Auth::PasswordsController < Devise::PasswordsController def update super do |resource| - resource.session_activations.destroy_all if resource.errors.empty? + if resource.errors.empty? + resource.session_activations.destroy_all + resource.forget_me! + end end end |