fix: Invalidate access tokens on password change

3 years ago · 266a762641
parent e9a65bb641
commit 266a762641
8 changed files with 65 additions and 4 deletions
--- a/client/src/sagas/core/services/users.js
+++ b/client/src/sagas/core/services/users.js
@ -5,6 +5,7 @@ import request from '../request';
 import selectors from '../../../selectors';
 import actions from '../../../actions';
 import api from '../../../api';
+import { setAccessToken } from '../../../utils/access-token-storage';

 export function* createUser(data) {
  yield put(actions.createUser(data));
@ -109,13 +110,18 @@ export function* updateUserPassword(id, data) {
  yield put(actions.updateUserPassword(id, data));

  let user;
+  let accessToken;
  try {
-    ({ item: user } = yield call(request, api.updateUserPassword, id, data));
+    ({ item: user, accessToken } = yield call(request, api.updateUserPassword, id, data));
  } catch (error) {
    yield put(actions.updateUserPassword.failure(id, error));
    return;
  }

+  if (accessToken !== undefined) {
+    yield call(setAccessToken, accessToken);
+  }
+
  yield put(actions.updateUserPassword.success(user));
 }

--- a/client/src/utils/access-token-storage.js
+++ b/client/src/utils/access-token-storage.js
@ -1,6 +1,7 @@
 import Cookies from 'js-cookie';

 import Config from '../constants/Config';
+import socket from '../api/socket';

 export const setAccessToken = (accessToken) => {
  Cookies.set(Config.ACCESS_TOKEN_KEY, accessToken, {
@ -11,6 +12,8 @@ export const setAccessToken = (accessToken) => {
  Cookies.set(Config.ACCESS_TOKEN_VERSION_KEY, Config.ACCESS_TOKEN_VERSION, {
    expires: Config.ACCESS_TOKEN_EXPIRES,
  });
+
+  socket.headers = { Cookie: document.cookie };
 };

 export const getAccessToken = () => {
--- a/server/api/controllers/users/update-password.js
+++ b/server/api/controllers/users/update-password.js
@ -66,6 +66,27 @@ module.exports = {
      throw Errors.USER_NOT_FOUND;
    }

+    // Disconnect all sockets from this user except the current one
+    const tempRoom = `temp:${user.id}`;
+    sails.sockets.addRoomMembersToRooms(`user:${user.id}`, tempRoom, () => {
+      if (currentUser.id === user.id && this.req.isSocket) {
+        sails.sockets.leave(this.req, tempRoom, () => {
+          sails.sockets.leaveAll(tempRoom);
+        });
+      } else {
+        sails.sockets.leaveAll(tempRoom);
+      }
+    });
+
+    if (currentUser.id === user.id) {
+      const accessToken = sails.helpers.utils.signToken(user.id);
+
+      return {
+        accessToken,
+        item: user,
+      };
+    }
+
    return {
      item: user,
    };
--- a/server/api/helpers/users/update-one.js
+++ b/server/api/helpers/users/update-one.js
@ -56,6 +56,8 @@ module.exports = {
    if (!_.isUndefined(inputs.values.password)) {
      // eslint-disable-next-line no-param-reassign
      inputs.values.password = bcrypt.hashSync(inputs.values.password, 10);
+      // eslint-disable-next-line no-param-reassign
+      inputs.values.passwordChangedAt = new Date();

      if (Object.keys(inputs.values).length === 1) {
        isOnlyPasswordChange = true;
--- a/server/api/helpers/utils/sign-token.js
+++ b/server/api/helpers/utils/sign-token.js
@ -11,6 +11,6 @@ module.exports = {
  },

  fn(inputs) {
-    return jwt.sign(inputs.payload, sails.config.session.secret);
+    return jwt.sign({ sub: inputs.payload }, sails.config.session.secret);
  },
 };
--- a/server/api/hooks/current-user/index.js
+++ b/server/api/hooks/current-user/index.js
@ -11,14 +11,27 @@ module.exports = function defineCurrentUserHook(sails) {

  const getUser = async (accessToken) => {
    let id;
+    let iat;
+    let decodedToken;

    try {
-      id = sails.helpers.utils.verifyToken(accessToken);
+      decodedToken = sails.helpers.utils.verifyToken(accessToken);
    } catch (error) {
      return null;
    }

-    return sails.helpers.users.getOne(id);
+    if (_.isString(decodedToken)) {
+      id = decodedToken;
+      iat = 1;
+    } else {
+      id = decodedToken.sub;
+      iat = decodedToken.iat;
+    }
+
+    return sails.helpers.users.getOne({
+      id,
+      passwordChangedAt: { '<=': new Date((iat + 1) * 1000) },
+    });
  };

  return {
--- a/server/api/models/User.js
+++ b/server/api/models/User.js
@ -67,6 +67,11 @@ module.exports = {
      type: 'ref',
      columnName: 'deleted_at',
    },
+    passwordChangedAt: {
+      type: 'ref',
+      columnName: 'password_changed_at',
+      defaultsTo: new Date(0).toUTCString(),
+    },

    //  ╔═╗╔╦╗╔╗ ╔═╗╔╦╗╔═╗
    //  ║╣ ║║║╠╩╗║╣  ║║╚═╗
--- a/server/db/migrations/20220803221221_add_password_changed_at_to_user_account_table.js
+++ b/server/db/migrations/20220803221221_add_password_changed_at_to_user_account_table.js
@ -0,0 +1,11 @@
+module.exports.up = async (knex) =>
+  knex.schema.table('user_account', (table) => {
+    /* Columns */
+
+    table.timestamp('password_changed_at', true).defaultsTo(new Date(0).toUTCString());
+  });
+
+module.exports.down = async (knex) =>
+  knex.schema.table('user_account', (table) => {
+    table.dropColumn('password_changed_at');
+  });