Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 16:46:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: plumb current session id into email removal/confirmation flow, so all other sessions are revoked except for the current session

Browse Source 
This utilises the new argument in user.auth.revokeAllSessions
This commit is contained in:
Julian Lam
2021-07-28 14:50:52 -04:00
parent b0a4a1d3e4
commit 96398faa3c
2 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/user/email.js
View File

@@ -24,7 +24,7 @@ UserEmail.available = async function (email) {
return !exists; return !exists;
}; };
UserEmail.remove = async function (uid) { UserEmail.remove = async function (uid, sessionId) {
const email = await user.getUserField(uid, 'email'); const email = await user.getUserField(uid, 'email');
if (!email) { if (!email) {
return; return;
@@ -38,7 +38,7 @@ UserEmail.remove = async function (uid) {
db.sortedSetRemove('email:uid', email.toLowerCase()), db.sortedSetRemove('email:uid', email.toLowerCase()),
db.sortedSetRemove('email:sorted', `${email.toLowerCase()}:${uid}`), db.sortedSetRemove('email:sorted', `${email.toLowerCase()}:${uid}`),
user.email.expireValidation(uid), user.email.expireValidation(uid),
user.auth.revokeAllSessions(uid), user.auth.revokeAllSessions(uid, sessionId),
events.log({ type: 'email-change', email, newEmail: '' }), events.log({ type: 'email-change', email, newEmail: '' }),
]); ]);
}; };
@@ -137,7 +137,7 @@ UserEmail.sendValidationEmail = async function (uid, options) {
}; };
// confirm email by code sent by confirmation email // confirm email by code sent by confirmation email
UserEmail.confirmByCode = async function (code) { UserEmail.confirmByCode = async function (code, sessionId) {
const confirmObj = await db.getObject(`confirm:${code}`); const confirmObj = await db.getObject(`confirm:${code}`);
if (!confirmObj || !confirmObj.uid || !confirmObj.email) { if (!confirmObj || !confirmObj.uid || !confirmObj.email) {
throw new Error('[[error:invalid-data]]'); throw new Error('[[error:invalid-data]]');
@@ -145,7 +145,9 @@ UserEmail.confirmByCode = async function (code) {
const oldEmail = await user.getUserField(confirmObj.uid, 'email'); const oldEmail = await user.getUserField(confirmObj.uid, 'email');
if (oldEmail && confirmObj.email !== oldEmail) { if (oldEmail && confirmObj.email !== oldEmail) {
UserEmail.remove(confirmObj.uid); await UserEmail.remove(confirmObj.uid, sessionId);
} else {
await user.auth.revokeAllSessions(confirmObj.uid, sessionId);
} }
await user.setUserField(confirmObj.uid, 'email', confirmObj.email); await user.setUserField(confirmObj.uid, 'email', confirmObj.email);

2
src/user/index.js
View File

@@ -279,7 +279,7 @@ User.addInterstitials = function (callback) {
} }
} else { } else {
// User explicitly clearing their email // User explicitly clearing their email
await User.email.remove(userData.uid); await User.email.remove(userData.uid, data.req.session.id);
} }
} else { } else {
// New registrants have the confirm email sent from user.create() // New registrants have the confirm email sent from user.create()