Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-27 17:16:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: #9397, trash the active session on account lockout, if there is one

Browse Source
This commit is contained in:
Julian Lam
2023-03-22 17:08:37 -04:00
parent e6e08d561b
commit 03e05b5154
1 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/controllers/authentication.js
View File

@@ -397,6 +397,9 @@ authenticationController.onSuccessfulLogin = async function (req, uid) {
} }
}; };
const destroyAsync = util.promisify((req, callback) => req.session.destroy(callback));
const logoutAsync = util.promisify((req, callback) => req.logout(callback));
authenticationController.localLogin = async function (req, username, password, next) { authenticationController.localLogin = async function (req, username, password, next) {
if (!username) { if (!username) {
return next(new Error('[[error:invalid-username]]')); return next(new Error('[[error:invalid-username]]'));
@@ -431,9 +434,17 @@ authenticationController.localLogin = async function (req, username, password, n
return next(new Error('[[error:local-login-disabled]]')); return next(new Error('[[error:local-login-disabled]]'));
} }
const passwordMatch = await user.isPasswordCorrect(uid, password, req.ip); try {
if (!passwordMatch) { const passwordMatch = await user.isPasswordCorrect(uid, password, req.ip);
return next(new Error('[[error:invalid-login-credentials]]')); if (!passwordMatch) {
return next(new Error('[[error:invalid-login-credentials]]'));
}
} catch (e) {
if (req.loggedIn) {
await logoutAsync(req);
await destroyAsync(req);
}
throw e;
} }
next(null, userData, '[[success:authentication-successful]]'); next(null, userData, '[[success:authentication-successful]]');
@@ -442,9 +453,6 @@ authenticationController.localLogin = async function (req, username, password, n
} }
}; };
const destroyAsync = util.promisify((req, callback) => req.session.destroy(callback));
const logoutAsync = util.promisify((req, callback) => req.logout(callback));
authenticationController.logout = async function (req, res, next) { authenticationController.logout = async function (req, res, next) {
if (!req.loggedIn || !req.sessionID) { if (!req.loggedIn || !req.sessionID) {
res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get()); res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());
@@ -456,7 +464,6 @@ authenticationController.logout = async function (req, res, next) {
try { try {
await user.auth.revokeSession(sessionID, uid); await user.auth.revokeSession(sessionID, uid);
await logoutAsync(req); await logoutAsync(req);
await destroyAsync(req); await destroyAsync(req);
res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get()); res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());