Fix 2FA/sign-in token sessions being valid after password change (#14802)

If someone tries logging in to an account and is prompted for a 2FA code or sign-in token, even if the account's password or e-mail is updated in the meantime, the session will show the prompt and allow the login process to complete with a valid 2FA code or sign-in token
author: Eugen Rochko <eugen@zeonfederated.com> 2020-11-12 23:05:01 +0100
committer: GitHub <noreply@github.com> 2020-11-12 23:05:01 +0100
commit: 8532429af749339a3ff6af4130de3743cd8d1c68 (patch)
tree: 72baeae5c43531708a03e2c504fcab3e24d5ec6f /app/controllers/concerns/user_tracking_concern.rb
parent: 9870b175b477bbc984fc7945f1ebe07e3f2b0053 (diff)
1 files changed, 3 insertions, 4 deletions
diff --git a/app/controllers/concerns/user_tracking_concern.rb b/app/controllers/concerns/user_tracking_concern.rb
index be10705fc..efda37fae 100644
--- a/app/controllers/concerns/user_tracking_concern.rb
+++ b/app/controllers/concerns/user_tracking_concern.rb
@@ -6,14 +6,13 @@ module UserTrackingConcern
   UPDATE_SIGN_IN_HOURS = 24
 
   included do
-    before_action :set_user_activity
+    before_action :update_user_sign_in
   end
 
   private
 
-  def set_user_activity
-    return unless user_needs_sign_in_update?
-    current_user.update_tracked_fields!(request)
+  def update_user_sign_in
+    current_user.update_sign_in!(request) if user_needs_sign_in_update?
   end
 
   def user_needs_sign_in_update?
author	Eugen Rochko <eugen@zeonfederated.com>	2020-11-12 23:05:01 +0100
committer	GitHub <noreply@github.com>	2020-11-12 23:05:01 +0100
commit	8532429af749339a3ff6af4130de3743cd8d1c68 (patch)
tree	72baeae5c43531708a03e2c504fcab3e24d5ec6f /app/controllers/concerns/user_tracking_concern.rb
parent	9870b175b477bbc984fc7945f1ebe07e3f2b0053 (diff)