Skip to content

Commit

Permalink
fix: invalidate email, phone OTPs on password change (#1489)
Browse files Browse the repository at this point in the history
Password change may mean that the user no longer trusts the actions
performed by the previous "knower" of the password, so all password
reset, email confirmation, phone confirmation OTPs should be reset.
  • Loading branch information
hf authored Mar 19, 2024
1 parent 77cc7ac commit 960a4f9
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 2 deletions.
2 changes: 1 addition & 1 deletion internal/api/user_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -371,7 +371,7 @@ func (ts *UserTestSuite) TestUserUpdatePasswordReauthentication() {

require.True(ts.T(), u.Authenticate(context.Background(), "newpass"))
require.Empty(ts.T(), u.ReauthenticationToken)
require.NotEmpty(ts.T(), u.ReauthenticationSentAt)
require.Nil(ts.T(), u.ReauthenticationSentAt)
}

func (ts *UserTestSuite) TestUserUpdatePasswordLogoutOtherSessions() {
Expand Down
15 changes: 14 additions & 1 deletion internal/models/user.go
Original file line number Diff line number Diff line change
Expand Up @@ -301,7 +301,20 @@ func (u *User) SetPassword(ctx context.Context, password string) error {

// UpdatePassword updates the user's password. Use SetPassword outside of a transaction first!
func (u *User) UpdatePassword(tx *storage.Connection, sessionID *uuid.UUID) error {
if err := tx.UpdateOnly(u, "encrypted_password"); err != nil {
// These need to be reset because password change may mean the user no longer trusts the actions performed by the previous password.
u.ConfirmationToken = ""
u.ConfirmationSentAt = nil
u.RecoveryToken = ""
u.RecoverySentAt = nil
u.EmailChangeTokenCurrent = ""
u.EmailChangeTokenNew = ""
u.EmailChangeSentAt = nil
u.PhoneChangeToken = ""
u.PhoneChangeSentAt = nil
u.ReauthenticationToken = ""
u.ReauthenticationSentAt = nil

if err := tx.UpdateOnly(u, "encrypted_password", "confirmation_token", "confirmation_sent_at", "recovery_token", "recovery_sent_at", "email_change_token_current", "email_change_token_new", "email_change_sent_at", "phone_change_token", "phone_change_sent_at", "reauthentication_token", "reauthentication_sent_at"); err != nil {
return err
}

Expand Down

0 comments on commit 960a4f9

Please sign in to comment.