logo

pleroma

My custom branche(s) on git.pleroma.social/pleroma/pleroma
commit: e0c035589a570d1be7bf0f2f9ab3d78b2ed79462
parent: 117e005409c75c2d53df88fa19211823bdf3d61e
Author: kaniini <nenolod@gmail.com>
Date:   Sun, 14 Oct 2018 19:29:58 +0000

Merge branch 'security/clear-oauth-with-password' into 'develop'

Delete Tokens and Authorizations on password change

Closes #320

See merge request pleroma/pleroma!375

Diffstat:

Mlib/pleroma/user.ex5++++-
Mlib/pleroma/web/oauth/authorization.ex10+++++++++-
Mlib/pleroma/web/oauth/token.ex10++++++++++
Mtest/web/oauth/authorization_test.exs22++++++++++++++++++++++
Mtest/web/oauth/token_test.exs32++++++++++++++++++++++++++++++++
5 files changed, 77 insertions(+), 2 deletions(-)

diff --git a/lib/pleroma/user.ex b/lib/pleroma/user.ex @@ -4,7 +4,7 @@ defmodule Pleroma.User do import Ecto.{Changeset, Query} alias Pleroma.{Repo, User, Object, Web, Activity, Notification} alias Comeonin.Pbkdf2 - alias Pleroma.Web.{OStatus, Websub} + alias Pleroma.Web.{OStatus, Websub, OAuth} alias Pleroma.Web.ActivityPub.{Utils, ActivityPub} schema "users" do @@ -132,6 +132,9 @@ defmodule Pleroma.User do |> validate_required([:password, :password_confirmation]) |> validate_confirmation(:password) + OAuth.Token.delete_user_tokens(struct) + OAuth.Authorization.delete_user_authorizations(struct) + if changeset.valid? do hashed = Pbkdf2.hashpwsalt(changeset.changes[:password]) diff --git a/lib/pleroma/web/oauth/authorization.ex b/lib/pleroma/web/oauth/authorization.ex @@ -4,7 +4,7 @@ defmodule Pleroma.Web.OAuth.Authorization do alias Pleroma.{User, Repo} alias Pleroma.Web.OAuth.{Authorization, App} - import Ecto.{Changeset} + import Ecto.{Changeset, Query} schema "oauth_authorizations" do field(:token, :string) @@ -45,4 +45,12 @@ defmodule Pleroma.Web.OAuth.Authorization do end def use_token(%Authorization{used: true}), do: {:error, "already used"} + + def delete_user_authorizations(%User{id: user_id}) do + from( + a in Pleroma.Web.OAuth.Authorization, + where: a.user_id == ^user_id + ) + |> Repo.delete_all() + end end diff --git a/lib/pleroma/web/oauth/token.ex b/lib/pleroma/web/oauth/token.ex @@ -1,6 +1,8 @@ defmodule Pleroma.Web.OAuth.Token do use Ecto.Schema + import Ecto.Query + alias Pleroma.{User, Repo} alias Pleroma.Web.OAuth.{Token, App, Authorization} @@ -35,4 +37,12 @@ defmodule Pleroma.Web.OAuth.Token do Repo.insert(token) end + + def delete_user_tokens(%User{id: user_id}) do + from( + t in Pleroma.Web.OAuth.Token, + where: t.user_id == ^user_id + ) + |> Repo.delete_all() + end end diff --git a/test/web/oauth/authorization_test.exs b/test/web/oauth/authorization_test.exs @@ -55,4 +55,26 @@ defmodule Pleroma.Web.OAuth.AuthorizationTest do assert {:error, "token expired"} == Authorization.use_token(expired_auth) end + + test "delete authorizations" do + {:ok, app} = + Repo.insert( + App.register_changeset(%App{}, %{ + client_name: "client", + scopes: "scope", + redirect_uris: "url" + }) + ) + + user = insert(:user) + + {:ok, auth} = Authorization.create_authorization(app, user) + {:ok, auth} = Authorization.use_token(auth) + + {auths, _} = Authorization.delete_user_authorizations(user) + + {_, invalid} = Authorization.use_token(auth) + + assert auth != invalid + end end diff --git a/test/web/oauth/token_test.exs b/test/web/oauth/token_test.exs @@ -29,4 +29,36 @@ defmodule Pleroma.Web.OAuth.TokenTest do auth = Repo.get(Authorization, auth.id) {:error, "already used"} = Token.exchange_token(app, auth) end + + test "deletes all tokens of a user" do + {:ok, app1} = + Repo.insert( + App.register_changeset(%App{}, %{ + client_name: "client1", + scopes: "scope", + redirect_uris: "url" + }) + ) + + {:ok, app2} = + Repo.insert( + App.register_changeset(%App{}, %{ + client_name: "client2", + scopes: "scope", + redirect_uris: "url" + }) + ) + + user = insert(:user) + + {:ok, auth1} = Authorization.create_authorization(app1, user) + {:ok, auth2} = Authorization.create_authorization(app2, user) + + {:ok, token1} = Token.exchange_token(app1, auth1) + {:ok, token2} = Token.exchange_token(app2, auth2) + + {tokens, _} = Token.delete_user_tokens(user) + + assert tokens == 2 + end end