diff options
author | Eugen Rochko <eugen@zeonfederated.com> | 2020-11-12 23:05:01 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-11-12 23:05:01 +0100 |
commit | 8532429af749339a3ff6af4130de3743cd8d1c68 (patch) | |
tree | 72baeae5c43531708a03e2c504fcab3e24d5ec6f /app/models/user.rb | |
parent | 9870b175b477bbc984fc7945f1ebe07e3f2b0053 (diff) |
Fix 2FA/sign-in token sessions being valid after password change (#14802)
If someone tries logging in to an account and is prompted for a 2FA code or sign-in token, even if the account's password or e-mail is updated in the meantime, the session will show the prompt and allow the login process to complete with a valid 2FA code or sign-in token
Diffstat (limited to 'app/models/user.rb')
-rw-r--r-- | app/models/user.rb | 25 |
1 files changed, 19 insertions, 6 deletions
diff --git a/app/models/user.rb b/app/models/user.rb index 7c8124fed..94fee999a 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -63,7 +63,7 @@ class User < ApplicationRecord devise :two_factor_backupable, otp_number_of_backup_codes: 10 - devise :registerable, :recoverable, :rememberable, :trackable, :validatable, + devise :registerable, :recoverable, :rememberable, :validatable, :confirmable include Omniauthable @@ -165,6 +165,24 @@ class User < ApplicationRecord prepare_new_user! if new_user && approved? end + def update_sign_in!(request, new_sign_in: false) + old_current, new_current = current_sign_in_at, Time.now.utc + self.last_sign_in_at = old_current || new_current + self.current_sign_in_at = new_current + + old_current, new_current = current_sign_in_ip, request.remote_ip + self.last_sign_in_ip = old_current || new_current + self.current_sign_in_ip = new_current + + if new_sign_in + self.sign_in_count ||= 0 + self.sign_in_count += 1 + end + + save(validate: false) unless new_record? + prepare_returning_user! + end + def pending? !approved? end @@ -196,11 +214,6 @@ class User < ApplicationRecord prepare_new_user! end - def update_tracked_fields!(request) - super - prepare_returning_user! - end - def otp_enabled? otp_required_for_login end |