Merge commit from fork

* Ensure tootctl revokes sessions, access tokens and web push subscriptions * Fix test coverage
3 weeks ago · 24dcb18013
parent 8d09e4ef23
commit 24dcb18013
3 changed files with 25 additions and 8 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -361,17 +361,22 @@ class User < ApplicationRecord
  end

  def reset_password!
+    # First, change password to something random, this revokes sessions and on-going access:
+    change_password!(SecureRandom.hex)
+
+    # Finally, send a reset password prompt to the user
+    send_reset_password_instructions
+  end
+
+  def change_password!(new_password)
    # First, change password to something random and deactivate all sessions
    transaction do
-      update(password: SecureRandom.hex)
+      update(password: new_password)
      session_activations.destroy_all
    end

    # Then, remove all authorized applications and connected push subscriptions
    revoke_access!
-
-    # Finally, send a reset password prompt to the user
-    send_reset_password_instructions
  end

  protected
--- a/lib/mastodon/cli/accounts.rb
+++ b/lib/mastodon/cli/accounts.rb
@ -165,14 +165,17 @@ module Mastodon::CLI
        user.role_id = nil
      end

-      password = SecureRandom.hex if options[:reset_password]
-      user.password = password if options[:reset_password]
      user.email = options[:email] if options[:email]
      user.disabled = false if options[:enable]
      user.disabled = true if options[:disable]
      user.approved = true if options[:approve]
      user.disable_two_factor! if options[:disable_2fa]

+      # Password changes are a little different, as we also need to ensure
+      # sessions, subscriptions, and access tokens are revoked after changing:
+      password = SecureRandom.hex if options[:reset_password]
+      user.change_password!(password) if options[:reset_password]
+
      if user.save
        user.confirm if options[:confirm]

--- a/spec/lib/mastodon/cli/accounts_spec.rb
+++ b/spec/lib/mastodon/cli/accounts_spec.rb
@ -361,11 +361,20 @@ RSpec.describe Mastodon::CLI::Accounts do
      context 'with --reset-password option' do
        let(:options) { { reset_password: true } }

+        let(:user) { Fabricate(:user, password: original_password) }
+        let(:original_password) { 'foobar12345' }
+        let(:new_password) { 'new_password12345' }
+
        it 'returns a new password for the user' do
-          allow(SecureRandom).to receive(:hex).and_return('new_password')
+          allow(SecureRandom).to receive(:hex).and_return(new_password)
+          allow(Account).to receive(:find_local).and_return(user.account)
+          allow(user).to receive(:change_password!).and_call_original

          expect { subject }
-            .to output_results('new_password')
+            .to output_results(new_password)
+
+          expect(user).to have_received(:change_password!).with(new_password)
+          expect(user.reload).to_not be_external_or_valid_password(original_password)
        end
      end