Invalidate session on password update
This commit is contained in:
parent
f74264c1c8
commit
d1ffe24269
|
@ -80,6 +80,7 @@ export const resetUpdate = async (resetCode: string, password: string) => {
|
||||||
user = await userSdk.db.save(user)
|
user = await userSdk.db.save(user)
|
||||||
|
|
||||||
await cache.passwordReset.invalidateCode(resetCode)
|
await cache.passwordReset.invalidateCode(resetCode)
|
||||||
|
await sessions.invalidateSessions(userId)
|
||||||
|
|
||||||
// remove password from the user before sending events
|
// remove password from the user before sending events
|
||||||
delete user.password
|
delete user.password
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
import { cache, context, utils } from "@budibase/backend-core"
|
import { cache, context, sessions, utils } from "@budibase/backend-core"
|
||||||
import { resetUpdate } from "../auth"
|
import { loginUser, resetUpdate } from "../auth"
|
||||||
import { generator, structures } from "@budibase/backend-core/tests"
|
import { generator, structures } from "@budibase/backend-core/tests"
|
||||||
import { TestConfiguration } from "../../../tests"
|
import { TestConfiguration } from "../../../tests"
|
||||||
|
|
||||||
|
@ -49,5 +49,22 @@ describe("auth", () => {
|
||||||
)
|
)
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
||||||
|
it("updating the password will invalidate all the sessions", async () => {
|
||||||
|
await context.doInTenant(structures.tenant.id(), async () => {
|
||||||
|
const user = await config.createUser()
|
||||||
|
|
||||||
|
await loginUser(user)
|
||||||
|
|
||||||
|
expect(await sessions.getSessionsForUser(user._id!)).toHaveLength(1)
|
||||||
|
|
||||||
|
const code = await cache.passwordReset.createCode(user._id!, {})
|
||||||
|
const newPassword = generator.hash()
|
||||||
|
|
||||||
|
await resetUpdate(code, newPassword)
|
||||||
|
|
||||||
|
expect(await sessions.getSessionsForUser(user._id!)).toHaveLength(0)
|
||||||
|
})
|
||||||
|
})
|
||||||
})
|
})
|
||||||
})
|
})
|
||||||
|
|
Loading…
Reference in New Issue