Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 16:46:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: plumb current session id into email removal/confirmation flow, so all other sessions are revoked except for the current session

Browse Source 
This utilises the new argument in user.auth.revokeAllSessions
This commit is contained in:
Julian Lam
2021-07-28 14:50:52 -04:00
parent b0a4a1d3e4
commit 96398faa3c
2 changed files with 7 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/user/email.js
View File

@@ -24,7 +24,7 @@ UserEmail.available = async function (email) {
return !exists;
};
UserEmail.remove = async function (uid) {
UserEmail.remove = async function (uid, sessionId) {
const email = await user.getUserField(uid, 'email');
if (!email) {
return;
@@ -38,7 +38,7 @@ UserEmail.remove = async function (uid) {
db.sortedSetRemove('email:uid', email.toLowerCase()),
db.sortedSetRemove('email:sorted', `${email.toLowerCase()}:${uid}`),
user.email.expireValidation(uid),
user.auth.revokeAllSessions(uid),
user.auth.revokeAllSessions(uid, sessionId),
events.log({ type: 'email-change', email, newEmail: '' }),
]);
};
@@ -137,7 +137,7 @@ UserEmail.sendValidationEmail = async function (uid, options) {
};
// confirm email by code sent by confirmation email
UserEmail.confirmByCode = async function (code) {
UserEmail.confirmByCode = async function (code, sessionId) {
const confirmObj = await db.getObject(`confirm:${code}`);
if (!confirmObj || !confirmObj.uid || !confirmObj.email) {
throw new Error('[[error:invalid-data]]');
@@ -145,7 +145,9 @@ UserEmail.confirmByCode = async function (code) {
const oldEmail = await user.getUserField(confirmObj.uid, 'email');
if (oldEmail && confirmObj.email !== oldEmail) {
UserEmail.remove(confirmObj.uid);
await UserEmail.remove(confirmObj.uid, sessionId);
} else {
await user.auth.revokeAllSessions(confirmObj.uid, sessionId);
}
await user.setUserField(confirmObj.uid, 'email', confirmObj.email);

2
src/user/index.js
View File

@@ -279,7 +279,7 @@ User.addInterstitials = function (callback) {
}
} else {
// User explicitly clearing their email
await User.email.remove(userData.uid);
await User.email.remove(userData.uid, data.req.session.id);
}
} else {
// New registrants have the confirm email sent from user.create()