techhub/mastodon
2
0
Fork 0
Code Activity

Merge commit from fork

Browse Source 
* Ensure tootctl revokes sessions, access tokens and web push subscriptions

* Fix test coverage

---------

Co-authored-by: Emelia Smith <ThisIsMissEm@users.noreply.github.com>
This commit is contained in:
Claire
2025-10-13 14:20:23 +02:00
committed by GitHub
parent 8477bec2f2
commit 1631fb80e8
3 changed files with 25 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
app/models/user.rb
View File

@@ -393,17 +393,22 @@ class User < ApplicationRecord
end end
def reset_password! def reset_password!
# First, change password to something random, this revokes sessions and on-going access:
change_password!(SecureRandom.hex)
# Finally, send a reset password prompt to the user
send_reset_password_instructions
end
def change_password!(new_password)
# First, change password to something random and deactivate all sessions # First, change password to something random and deactivate all sessions
transaction do transaction do
update(password: SecureRandom.hex) update(password: new_password)
session_activations.destroy_all session_activations.destroy_all
end end
# Then, remove all authorized applications and connected push subscriptions # Then, remove all authorized applications and connected push subscriptions
revoke_access! revoke_access!
# Finally, send a reset password prompt to the user
send_reset_password_instructions
end end
protected protected

7
lib/mastodon/cli/accounts.rb
View File

@@ -165,14 +165,17 @@ module Mastodon::CLI
user.role_id = nil user.role_id = nil
end end
password = SecureRandom.hex if options[:reset_password]
user.password = password if options[:reset_password]
user.email = options[:email] if options[:email] user.email = options[:email] if options[:email]
user.disabled = false if options[:enable] user.disabled = false if options[:enable]
user.disabled = true if options[:disable] user.disabled = true if options[:disable]
user.approved = true if options[:approve] user.approved = true if options[:approve]
user.disable_two_factor! if options[:disable_2fa] user.disable_two_factor! if options[:disable_2fa]
# Password changes are a little different, as we also need to ensure
# sessions, subscriptions, and access tokens are revoked after changing:
password = SecureRandom.hex if options[:reset_password]
user.change_password!(password) if options[:reset_password]
if user.save if user.save
user.confirm if options[:confirm] user.confirm if options[:confirm]

13
spec/lib/mastodon/cli/accounts_spec.rb
View File

@@ -361,11 +361,20 @@ RSpec.describe Mastodon::CLI::Accounts do
context 'with --reset-password option' do context 'with --reset-password option' do
let(:options) { { reset_password: true } } let(:options) { { reset_password: true } }
let(:user) { Fabricate(:user, password: original_password) }
let(:original_password) { 'foobar12345' }
let(:new_password) { 'new_password12345' }
it 'returns a new password for the user' do it 'returns a new password for the user' do
allow(SecureRandom).to receive(:hex).and_return('new_password') allow(SecureRandom).to receive(:hex).and_return(new_password)
allow(Account).to receive(:find_local).and_return(user.account)
allow(user).to receive(:change_password!).and_call_original
expect { subject } expect { subject }
.to output_results('new_password') .to output_results(new_password)
expect(user).to have_received(:change_password!).with(new_password)
expect(user.reload).to_not be_external_or_valid_password(original_password)
end end
end end