From 8532429af749339a3ff6af4130de3743cd8d1c68 Mon Sep 17 00:00:00 2001
From: Eugen Rochko <eugen@zeonfederated.com>
Date: Thu, 12 Nov 2020 23:05:01 +0100
Subject: Fix 2FA/sign-in token sessions being valid after password change
 (#14802)

If someone tries logging in to an account and is prompted for a 2FA
code or sign-in token, even if the account's password or e-mail is
updated in the meantime, the session will show the prompt and allow
the login process to complete with a valid 2FA code or sign-in token
---
 app/controllers/api/base_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'app/controllers/api/base_controller.rb')

diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb
index e962c4e97..fe199e689 100644
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -103,7 +103,7 @@ class Api::BaseController < ApplicationController
     elsif !current_user.functional?
       render json: { error: 'Your login is currently disabled' }, status: 403
     else
-      set_user_activity
+      update_user_sign_in
     end
   end
 
-- 
cgit