From 5fb1c3e934a1a782972ac2732ce7f0208c341ac2 Mon Sep 17 00:00:00 2001
From: Francis Murillo <evacuee.overlap.vs3op@aleeas.com>
Date: Thu, 15 Dec 2022 14:47:06 +0000
Subject: Revoke all authorized applications on password reset (#21325)

* Clear sessions on password change

* Rename User::clear_sessions to revoke_access for a clearer meaning

* Add reset paassword controller test

* Use User.find instead of User.find_for_authentication for reset password test

* Use redirect and render for better test meaning in reset password

Co-authored-by: Effy Elden <effy@effy.space>
---
 app/controllers/auth/passwords_controller.rb | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'app/controllers/auth')

diff --git a/app/controllers/auth/passwords_controller.rb b/app/controllers/auth/passwords_controller.rb
index 2996c0431..a8ad66929 100644
--- a/app/controllers/auth/passwords_controller.rb
+++ b/app/controllers/auth/passwords_controller.rb
@@ -10,6 +10,8 @@ class Auth::PasswordsController < Devise::PasswordsController
     super do |resource|
       if resource.errors.empty?
         resource.session_activations.destroy_all
+
+        resource.revoke_access!
       end
     end
   end
-- 
cgit