feat: plumb current session id into email removal/confirmation flow, so all other sessions are revoked except for the current session

This utilises the new argument in user.auth.revokeAllSessions
4 years ago · 96398faa3c
parent b0a4a1d3e4
commit 96398faa3c
2 changed files with 7 additions and 5 deletions
--- a/src/user/email.js
+++ b/src/user/email.js
@ -24,7 +24,7 @@ UserEmail.available = async function (email) {
 	return !exists;
 };

-UserEmail.remove = async function (uid) {
+UserEmail.remove = async function (uid, sessionId) {
 	const email = await user.getUserField(uid, 'email');
 	if (!email) {
 		return;
@ -38,7 +38,7 @@ UserEmail.remove = async function (uid) {
 		db.sortedSetRemove('email:uid', email.toLowerCase()),
 		db.sortedSetRemove('email:sorted', `${email.toLowerCase()}:${uid}`),
 		user.email.expireValidation(uid),
-		user.auth.revokeAllSessions(uid),
+		user.auth.revokeAllSessions(uid, sessionId),
 		events.log({ type: 'email-change', email, newEmail: '' }),
 	]);
 };
@ -137,7 +137,7 @@ UserEmail.sendValidationEmail = async function (uid, options) {
 };

 // confirm email by code sent by confirmation email
-UserEmail.confirmByCode = async function (code) {
+UserEmail.confirmByCode = async function (code, sessionId) {
 	const confirmObj = await db.getObject(`confirm:${code}`);
 	if (!confirmObj || !confirmObj.uid || !confirmObj.email) {
 		throw new Error('[[error:invalid-data]]');
@ -145,7 +145,9 @@ UserEmail.confirmByCode = async function (code) {

 	const oldEmail = await user.getUserField(confirmObj.uid, 'email');
 	if (oldEmail && confirmObj.email !== oldEmail) {
-		UserEmail.remove(confirmObj.uid);
+		await UserEmail.remove(confirmObj.uid, sessionId);
+	} else {
+		await user.auth.revokeAllSessions(confirmObj.uid, sessionId);
 	}

 	await user.setUserField(confirmObj.uid, 'email', confirmObj.email);
--- a/src/user/index.js
+++ b/src/user/index.js
@ -279,7 +279,7 @@ User.addInterstitials = function (callback) {
 								}
 							} else {
 								// User explicitly clearing their email
-								await User.email.remove(userData.uid);
+								await User.email.remove(userData.uid, data.req.session.id);
 							}
 						} else {
 							// New registrants have the confirm email sent from user.create()