feat(security): #328 delete old sessions forgot password [tbs]
Some checks failed
Build Docker Image / Build-Docker-Image (push) Failing after 41s
Some checks failed
Build Docker Image / Build-Docker-Image (push) Failing after 41s
This commit is contained in:
@@ -23,6 +23,7 @@ var (
|
||||
ErrInvalidEmail = errors.New("invalid email")
|
||||
ErrAccountExists = errors.New("account already exists")
|
||||
ErrSessionIdInvalid = errors.New("session ID is invalid")
|
||||
ErrTokenInvalid = errors.New("token is invalid")
|
||||
)
|
||||
|
||||
type User struct {
|
||||
@@ -95,7 +96,6 @@ func NewAuthImpl(db db.Auth, random Random, clock Clock, mail Mail, serverSettin
|
||||
}
|
||||
|
||||
func (service AuthImpl) SignIn(email string, password string) (*Session, error) {
|
||||
log.Info("Sign in %s", email)
|
||||
user, err := service.db.GetUserByEmail(email)
|
||||
if err != nil {
|
||||
if errors.Is(err, db.ErrNotFound) {
|
||||
@@ -149,7 +149,6 @@ func (service AuthImpl) SignInSession(sessionId string) (*Session, error) {
|
||||
}
|
||||
|
||||
func (service AuthImpl) SignInAnonymous() (*Session, error) {
|
||||
log.Info("Sign in anonymous")
|
||||
sessionDb, err := service.createSession(uuid.Nil)
|
||||
if err != nil {
|
||||
return nil, types.ErrInternal
|
||||
@@ -350,9 +349,17 @@ func (service AuthImpl) ChangePassword(session *Session, currPass, newPass strin
|
||||
return err
|
||||
}
|
||||
|
||||
err = service.db.DeleteOtherSessions(session.User.Id, session.Id)
|
||||
sessions, err := service.db.GetSessions(userDb.Id)
|
||||
if err != nil {
|
||||
return err
|
||||
return types.ErrInternal
|
||||
}
|
||||
for _, s := range sessions {
|
||||
if s.Id != session.Id {
|
||||
err = service.db.DeleteSession(s.Id)
|
||||
if err != nil {
|
||||
return types.ErrInternal
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
@@ -399,7 +406,7 @@ func (service AuthImpl) ForgotPassword(tokenStr string, newPass string) error {
|
||||
|
||||
token, err := service.db.GetToken(tokenStr)
|
||||
if err != nil {
|
||||
return err
|
||||
return ErrTokenInvalid
|
||||
}
|
||||
|
||||
err = service.db.DeleteToken(tokenStr)
|
||||
@@ -407,6 +414,11 @@ func (service AuthImpl) ForgotPassword(tokenStr string, newPass string) error {
|
||||
return err
|
||||
}
|
||||
|
||||
if token.Type != db.TokenTypePasswordReset ||
|
||||
token.ExpiresAt.Before(service.clock.Now()) {
|
||||
return ErrTokenInvalid
|
||||
}
|
||||
|
||||
user, err := service.db.GetUser(token.UserId)
|
||||
if err != nil {
|
||||
log.Error("Could not get user from token: %v", err)
|
||||
@@ -421,6 +433,18 @@ func (service AuthImpl) ForgotPassword(tokenStr string, newPass string) error {
|
||||
return err
|
||||
}
|
||||
|
||||
sessions, err := service.db.GetSessions(user.Id)
|
||||
if err != nil {
|
||||
return types.ErrInternal
|
||||
}
|
||||
|
||||
for _, session := range sessions {
|
||||
err = service.db.DeleteSession(session.Id)
|
||||
if err != nil {
|
||||
return types.ErrInternal
|
||||
}
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user