Delete Tokens and Authorizations on password change

Closes: https://git.pleroma.social/pleroma/pleroma/issues/320
5 years ago · eacab0fb05
--- a/lib/pleroma/user.ex
+++ b/lib/pleroma/user.ex
@@ -4,7 +4,7 @@ defmodule Pleroma.User do
  import Ecto.{Changeset, Query}
  alias Pleroma.{Repo, User, Object, Web, Activity, Notification}
  alias Comeonin.Pbkdf2
  alias Pleroma.Web.{OStatus, Websub}
  alias Pleroma.Web.{OStatus, Websub, OAuth}
  alias Pleroma.Web.ActivityPub.{Utils, ActivityPub}

  schema "users" do
@@ -132,6 +132,9 @@ defmodule Pleroma.User do
      |> validate_required([:password, :password_confirmation])
      |> validate_confirmation(:password)

    OAuth.Token.delete_user_tokens(struct)
    OAuth.Authorization.delete_user_authorizations(struct)

    if changeset.valid? do
      hashed = Pbkdf2.hashpwsalt(changeset.changes[:password])

--- a/lib/pleroma/web/oauth/authorization.ex
+++ b/lib/pleroma/web/oauth/authorization.ex
@@ -4,7 +4,7 @@ defmodule Pleroma.Web.OAuth.Authorization do
  alias Pleroma.{User, Repo}
  alias Pleroma.Web.OAuth.{Authorization, App}

  import Ecto.{Changeset}
  import Ecto.{Changeset, Query}

  schema "oauth_authorizations" do
    field(:token, :string)
@@ -45,4 +45,12 @@ defmodule Pleroma.Web.OAuth.Authorization do
  end

  def use_token(%Authorization{used: true}), do: {:error, "already used"}

  def delete_user_authorizations(%User{id: user_id}) do
    from(
      a in Pleroma.Web.OAuth.Authorization,
      where: a.user_id == ^user_id
    )
    |> Repo.delete_all()
  end
 end
--- a/lib/pleroma/web/oauth/token.ex
+++ b/lib/pleroma/web/oauth/token.ex
@@ -1,6 +1,8 @@
 defmodule Pleroma.Web.OAuth.Token do
  use Ecto.Schema

  import Ecto.Query

  alias Pleroma.{User, Repo}
  alias Pleroma.Web.OAuth.{Token, App, Authorization}

@@ -35,4 +37,12 @@ defmodule Pleroma.Web.OAuth.Token do

    Repo.insert(token)
  end

  def delete_user_tokens(%User{id: user_id}) do
    from(
      t in Pleroma.Web.OAuth.Token,
      where: t.user_id == ^user_id
    )
    |> Repo.delete_all()
  end
 end
--- a/test/web/oauth/authorization_test.exs
+++ b/test/web/oauth/authorization_test.exs
@@ -55,4 +55,26 @@ defmodule Pleroma.Web.OAuth.AuthorizationTest do

    assert {:error, "token expired"} == Authorization.use_token(expired_auth)
  end

  test "delete authorizations" do
    {:ok, app} =
      Repo.insert(
        App.register_changeset(%App{}, %{
          client_name: "client",
          scopes: "scope",
          redirect_uris: "url"
        })
      )

    user = insert(:user)

    {:ok, auth} = Authorization.create_authorization(app, user)
    {:ok, auth} = Authorization.use_token(auth)

    {auths, _} = Authorization.delete_user_authorizations(user)

    {_, invalid} = Authorization.use_token(auth)

    assert auth != invalid
  end
 end
--- a/test/web/oauth/token_test.exs
+++ b/test/web/oauth/token_test.exs
@@ -29,4 +29,36 @@ defmodule Pleroma.Web.OAuth.TokenTest do
    auth = Repo.get(Authorization, auth.id)
    {:error, "already used"} = Token.exchange_token(app, auth)
  end

  test "deletes all tokens of a user" do
    {:ok, app1} =
      Repo.insert(
        App.register_changeset(%App{}, %{
          client_name: "client1",
          scopes: "scope",
          redirect_uris: "url"
        })
      )

    {:ok, app2} =
      Repo.insert(
        App.register_changeset(%App{}, %{
          client_name: "client2",
          scopes: "scope",
          redirect_uris: "url"
        })
      )

    user = insert(:user)

    {:ok, auth1} = Authorization.create_authorization(app1, user)
    {:ok, auth2} = Authorization.create_authorization(app2, user)

    {:ok, token1} = Token.exchange_token(app1, auth1)
    {:ok, token2} = Token.exchange_token(app2, auth2)

    {tokens, _} = Token.delete_user_tokens(user)

    assert tokens == 2
  end
 end