MirrorSave
/
budibase
mirror of https://github.com/Budibase/budibase.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Invalidate session on password update

This commit is contained in:
Adria Navarro 2023-12-29 16:54:47 +01:00
parent f74264c1c8
commit d1ffe24269
2 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
packages/worker/src/sdk/auth/auth.ts
View File

@ -80,6 +80,7 @@ export const resetUpdate = async (resetCode: string, password: string) => {
user = await userSdk.db.save(user)
await cache.passwordReset.invalidateCode(resetCode)
await sessions.invalidateSessions(userId)
// remove password from the user before sending events
delete user.password

21
packages/worker/src/sdk/auth/tests/auth.spec.ts
View File

@ -1,5 +1,5 @@
import { cache, context, utils } from "@budibase/backend-core"
import { resetUpdate } from "../auth"
import { cache, context, sessions, utils } from "@budibase/backend-core"
import { loginUser, resetUpdate } from "../auth"
import { generator, structures } from "@budibase/backend-core/tests"
import { TestConfiguration } from "../../../tests"
@ -49,5 +49,22 @@ describe("auth", () => {
)
})
})
it("updating the password will invalidate all the sessions", async () => {
await context.doInTenant(structures.tenant.id(), async () => {
const user = await config.createUser()
await loginUser(user)
expect(await sessions.getSessionsForUser(user._id!)).toHaveLength(1)
const code = await cache.passwordReset.createCode(user._id!, {})
const newPassword = generator.hash()
await resetUpdate(code, newPassword)
expect(await sessions.getSessionsForUser(user._id!)).toHaveLength(0)
})
})
})
})