hyperzlib
/
nodebb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: plumb current session id into email removal/confirmation flow, so all other sessions are revoked except for the current session

Browse Source 
This utilises the new argument in user.auth.revokeAllSessions
v1.18.x
Julian Lam 4 years ago
parent b0a4a1d3e4
commit 96398faa3c
2 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File

10
src/user/email.js
Unescape Escape View File

@ -24,7 +24,7 @@ UserEmail.available = async function (email) {
return !exists; return !exists;
}; };
UserEmail.remove = async function (uid) { UserEmail.remove = async function (uid, sessionId) {
const email = await user.getUserField(uid, 'email'); const email = await user.getUserField(uid, 'email');
if (!email) { if (!email) {
return; return;
@ -38,7 +38,7 @@ UserEmail.remove = async function (uid) {
db.sortedSetRemove('email:uid', email.toLowerCase()), db.sortedSetRemove('email:uid', email.toLowerCase()),
db.sortedSetRemove('email:sorted', `${email.toLowerCase()}:${uid}`), db.sortedSetRemove('email:sorted', `${email.toLowerCase()}:${uid}`),
user.email.expireValidation(uid), user.email.expireValidation(uid),
user.auth.revokeAllSessions(uid), user.auth.revokeAllSessions(uid, sessionId),
events.log({ type: 'email-change', email, newEmail: '' }), events.log({ type: 'email-change', email, newEmail: '' }),
]); ]);
}; };
@ -137,7 +137,7 @@ UserEmail.sendValidationEmail = async function (uid, options) {
}; };
// confirm email by code sent by confirmation email // confirm email by code sent by confirmation email
UserEmail.confirmByCode = async function (code) { UserEmail.confirmByCode = async function (code, sessionId) {
const confirmObj = await db.getObject(`confirm:${code}`); const confirmObj = await db.getObject(`confirm:${code}`);
if (!confirmObj || !confirmObj.uid || !confirmObj.email) { if (!confirmObj || !confirmObj.uid || !confirmObj.email) {
throw new Error('[[error:invalid-data]]'); throw new Error('[[error:invalid-data]]');
@ -145,7 +145,9 @@ UserEmail.confirmByCode = async function (code) {
const oldEmail = await user.getUserField(confirmObj.uid, 'email'); const oldEmail = await user.getUserField(confirmObj.uid, 'email');
if (oldEmail && confirmObj.email !== oldEmail) { if (oldEmail && confirmObj.email !== oldEmail) {
UserEmail.remove(confirmObj.uid); await UserEmail.remove(confirmObj.uid, sessionId);
} else {
await user.auth.revokeAllSessions(confirmObj.uid, sessionId);
} }
await user.setUserField(confirmObj.uid, 'email', confirmObj.email); await user.setUserField(confirmObj.uid, 'email', confirmObj.email);

2
src/user/index.js
Unescape Escape View File

@ -279,7 +279,7 @@ User.addInterstitials = function (callback) {
} }
} else { } else {
// User explicitly clearing their email // User explicitly clearing their email
await User.email.remove(userData.uid); await User.email.remove(userData.uid, data.req.session.id);
} }
} else { } else {
// New registrants have the confirm email sent from user.create() // New registrants have the confirm email sent from user.create()

Write Preview
Loading…
Cancel
Save