Always clear sessions when user password is updated (#3821)

* Adds repro to issue #3289 * Always clear sessions when password is updated
parse-community · May 16, 2017 · 17a2d26 · 17a2d26
1 parent 9dbb89a
commit 17a2d26
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 6 deletions.
diff --git a/spec/ParseServerRESTController.spec.js b/spec/ParseServerRESTController.spec.js
@@ -135,10 +135,7 @@ describe('ParseServerRESTController', () => {
  }).then(sessions => {
  expect(sessions.length).toBe(0);
  done();
- }, (err) => {
- jfail(err);
- done();
- });
+ }, done.fail);
  });
 
  it('ensures a session token is created when passing installationId != cloud', (done) => {

diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js
@@ -2935,4 +2935,21 @@ describe('Parse.User testing', () => {
  done();
  });
  });
+
+ it('should revoke sessions when setting paswword with masterKey (#3289)', (done) => {
+ let user;
+ Parse.User.signUp('username', 'password')
+ .then((newUser) => {
+ user = newUser;
+ user.set('password', 'newPassword');
+ return user.save(null, {useMasterKey: true});
+ }).then(() => {
+ const query = new Parse.Query('_Session');
+ query.equalTo('user', user);
+ return query.find({useMasterKey: true});
+ }).then((results) => {
+ expect(results.length).toBe(0);
+ done();
+ }, done.fail);
+ });
 });
diff --git a/src/RestWrite.js b/src/RestWrite.js
@@ -375,9 +375,12 @@ RestWrite.prototype.transformUser = function() {
  return Promise.resolve();
  }
 
- if (this.query && !this.auth.isMaster) {
+ if (this.query) {
  this.storage['clearSessions'] = true;
- this.storage['generateNewSession'] = true;
+ // Generate a new session only if the user requested
+ if (!this.auth.isMaster) {
+ this.storage['generateNewSession'] = true;
+ }
  }
 
  return this._validatePasswordPolicy().then(() => {