Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reset Password - MailGun & Parse-Server doesn't expire session #3265

Closed
sricharan123 opened this issue Dec 21, 2016 · 2 comments
Closed

Reset Password - MailGun & Parse-Server doesn't expire session #3265

sricharan123 opened this issue Dec 21, 2016 · 2 comments

Comments

@sricharan123
Copy link

sricharan123 commented Dec 21, 2016
edited
Loading

Currently working on a project with the parse server. I've successfully installed the mail-gun adapter and will receive an email when the parse sdk - password reset option is "initiated" by the user.

The problem is, after clicking link in email and changing the password, the browser already opened application is still access the pages.

I set revokeSessionOnPasswordReset to true in config.

Expected Results

to delete the session from existing browsers for the same User.

Actual Outcome

Still access the pages of application
@sricharan123 sricharan123 mentioned this issue Dec 27, 2016
Closed
@fcoufour
Copy link

Hi Sricharan,

Same issue here with Parse Server 2.2.25. Modifying the password when logged in revokes the session as intended. The session is however not revoked after the success of the email reset procedure.

It seems that the revoke session logic is located in the RestWrite.js file:

// Handles any followup logic
RestWrite.prototype.handleFollowup = function() {
  if (this.storage && this.storage['clearSessions'] && this.config.revokeSessionOnPasswordReset) {
    var sessionQuery = {
      user: {
        __type: 'Pointer',
        className: '_User',
        objectId: this.objectId()
      }
    };
    delete this.storage['clearSessions'];
    return this.config.database.destroy('_Session', sessionQuery)
    .then(this.handleFollowup.bind(this));
  }

  if (this.storage && this.storage['generateNewSession']) {
    delete this.storage['generateNewSession'];
    return this.createSessionToken()
    .then(this.handleFollowup.bind(this));
  }

  if (this.storage && this.storage['sendVerificationEmail']) {
    delete this.storage['sendVerificationEmail'];
    // Fire and forget!
    this.config.userController.sendVerificationEmail(this.data);
    return this.handleFollowup.bind(this);
  }
};

clearSessions is previously set to true only if not master and this probably the reason why the behaviour is the same as Parse Dashboard (issue #3289):

if (this.query && !this.auth.isMaster) {
  this.storage['clearSessions'] = true;
  this.storage['generateNewSession'] = true;
}

Can anyone confirm?

@hramos
Copy link
Contributor

hramos commented Feb 10, 2017

Hey, thanks for reporting this issue.

Can you please add all the info specified in the template? This is necessary for people to be able to understand and reproduce the issue being reported.

@hramos hramos closed this as completed Feb 10, 2017
@snyk-bot snyk-bot mentioned this issue Jun 28, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@hramos @sricharan123 @fcoufour