fix: #9397, trash the active session on account lockout, if there is one

isekai-main
Julian Lam 2 years ago
parent e6e08d561b
commit 03e05b5154

@ -397,6 +397,9 @@ authenticationController.onSuccessfulLogin = async function (req, uid) {
}
};
const destroyAsync = util.promisify((req, callback) => req.session.destroy(callback));
const logoutAsync = util.promisify((req, callback) => req.logout(callback));
authenticationController.localLogin = async function (req, username, password, next) {
if (!username) {
return next(new Error('[[error:invalid-username]]'));
@ -431,9 +434,17 @@ authenticationController.localLogin = async function (req, username, password, n
return next(new Error('[[error:local-login-disabled]]'));
}
const passwordMatch = await user.isPasswordCorrect(uid, password, req.ip);
if (!passwordMatch) {
return next(new Error('[[error:invalid-login-credentials]]'));
try {
const passwordMatch = await user.isPasswordCorrect(uid, password, req.ip);
if (!passwordMatch) {
return next(new Error('[[error:invalid-login-credentials]]'));
}
} catch (e) {
if (req.loggedIn) {
await logoutAsync(req);
await destroyAsync(req);
}
throw e;
}
next(null, userData, '[[success:authentication-successful]]');
@ -442,9 +453,6 @@ authenticationController.localLogin = async function (req, username, password, n
}
};
const destroyAsync = util.promisify((req, callback) => req.session.destroy(callback));
const logoutAsync = util.promisify((req, callback) => req.logout(callback));
authenticationController.logout = async function (req, res, next) {
if (!req.loggedIn || !req.sessionID) {
res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());
@ -456,7 +464,6 @@ authenticationController.logout = async function (req, res, next) {
try {
await user.auth.revokeSession(sessionID, uid);
await logoutAsync(req);
await destroyAsync(req);
res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());

Loading…
Cancel
Save