Skip to content

Invalidate AccessTokens on password change #3018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bajtos merged 1 commit into from
Dec 12, 2016
Merged

Invalidate AccessTokens on password change #3018

bajtos merged 1 commit into from
Dec 12, 2016

Conversation

@bajtos
Copy link
Member

@bajtos bajtos commented Dec 9, 2016

Invalidate all existing sessions (delete all access tokens) after user's password was changed.

This patch supersedes #2665

Connect to strongloop-internal/scrum-loopback#925

@loay @raymondfeng PTAL

@bajtos bajtos requested review from loay and raymondfeng December 9, 2016 14:38
@bajtos bajtos added the #review label Dec 9, 2016
@bajtos
Copy link
Member Author

bajtos commented Dec 9, 2016

Many of the changes in the test file are whitespace-only, see https://github.com/strongloop/loopback/pull/3018/files?w=1

@bajtos bajtos mentioned this pull request Dec 9, 2016
Closed
loay
loay approved these changes Dec 9, 2016
View reviewed changes
Copy link
Contributor

@loay loay left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tested. All functions work for both email and password change.
LGTM

@loay
Copy link
Contributor

loay commented Dec 9, 2016

@slnode test please

1 similar comment
@loay
Copy link
Contributor

loay commented Dec 9, 2016

@slnode test please

raymondfeng
raymondfeng reviewed Dec 9, 2016
View reviewed changes
common/models/user.js Outdated
};

User._invalidateAccessTokensOfUsers = function(userIds, cb) {
if (!userIds.length) return cb();
Copy link
Member

@raymondfeng raymondfeng Dec 9, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we check with !Array.isArray(userIds) || !userIds.length?
I think we need to use process.nextTick to cb() too.

Copy link
Member Author

@bajtos bajtos Dec 12, 2016

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed - see 062c529

@bajtos
Invalidate AccessTokens on password change
29a17f3 
Invalidate all existing sessions (delete all access tokens)
after user's password was changed.
@bajtos bajtos force-pushed the fix/session-expiry2 branch from 062c529 to 29a17f3 Compare December 12, 2016 12:30
@bajtos bajtos merged commit f27cd2c into master Dec 12, 2016
@bajtos bajtos deleted the fix/session-expiry2 branch December 12, 2016 12:50
@bajtos bajtos removed the #review label Dec 12, 2016
@bajtos bajtos mentioned this pull request Dec 12, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@raymondfeng raymondfeng raymondfeng left review comments

+1 more reviewer

@loay loay loay approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@bajtos @loay @timlind @raymondfeng @superkhau