Skip to content

Commit

Permalink
Ensure session token is changed
Browse files Browse the repository at this point in the history
  • Loading branch information
@elektronaut
elektronaut committed Feb 2, 2024
1 parent 000fe3d commit 2c94c64
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 3 deletions.
11 changes: 8 additions & 3 deletions app/models/concerns/pages_core/authenticable_user.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,18 @@ module AuthenticableUser
}
)

before_save :update_session_token
after_initialize { |u| u.session_token ||= u.class.random_session_token }
before_validation :update_session_token
end

module ClassMethods
def authenticate(email, password:)
User.find_by(email:).try(:authenticate, password)
end

def random_session_token
SecureRandom.hex(32)
end
end

def can_login?
Expand All @@ -49,10 +54,10 @@ def use_recovery_code!(code)
private

def update_session_token
return unless !session_token? || password_digest_changed? ||
return unless password_digest_changed? ||
otp_enabled_changed?

self.session_token = SecureRandom.hex(32)
self.session_token = self.class.random_session_token
end
end
end
20 changes: 20 additions & 0 deletions spec/models/user_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,4 +78,24 @@
it { is_expected.to be(false) }
end
end

describe "session_token" do
subject(:session_token) { user.session_token }

let(:user) { create(:user, :otp) }

it { is_expected.to be_present }

it "changes when password is changed" do
previous = user.session_token
user.update(password: "new password")
expect(session_token).not_to eq(previous)
end

it "changes when OTP status is changed" do
previous = user.session_token
user.update(otp_enabled: false)
expect(session_token).not_to eq(previous)
end
end
end

0 comments on commit 2c94c64

Please sign in to comment.