Logout other sessions when password is changed

closes #1222
This commit is contained in:
Dane Everitt 2018-06-30 17:50:58 -07:00
parent 1da05a2ee2
commit 974318ffb4
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
4 changed files with 45 additions and 14 deletions

View file

@ -16,6 +16,7 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
### Changed ### Changed
* Attempting to upload a folder via the web file manager will now display a warning telling the user to use SFTP. * Attempting to upload a folder via the web file manager will now display a warning telling the user to use SFTP.
* Changing your account password will now log out all other sessions that currently exist for that user.
## v0.7.7 (Derelict Dermodactylus) ## v0.7.7 (Derelict Dermodactylus)
### Fixed ### Fixed

View file

@ -3,7 +3,9 @@
namespace Pterodactyl\Http\Controllers\Base; namespace Pterodactyl\Http\Controllers\Base;
use Pterodactyl\Models\User; use Pterodactyl\Models\User;
use Illuminate\Auth\AuthManager;
use Prologue\Alerts\AlertsMessageBag; use Prologue\Alerts\AlertsMessageBag;
use Illuminate\Contracts\Session\Session;
use Pterodactyl\Http\Controllers\Controller; use Pterodactyl\Http\Controllers\Controller;
use Pterodactyl\Services\Users\UserUpdateService; use Pterodactyl\Services\Users\UserUpdateService;
use Pterodactyl\Http\Requests\Base\AccountDataFormRequest; use Pterodactyl\Http\Requests\Base\AccountDataFormRequest;
@ -15,6 +17,11 @@ class AccountController extends Controller
*/ */
protected $alert; protected $alert;
/**
* @var \Illuminate\Auth\SessionGuard
*/
protected $sessionGuard;
/** /**
* @var \Pterodactyl\Services\Users\UserUpdateService * @var \Pterodactyl\Services\Users\UserUpdateService
*/ */
@ -24,12 +31,14 @@ class AccountController extends Controller
* AccountController constructor. * AccountController constructor.
* *
* @param \Prologue\Alerts\AlertsMessageBag $alert * @param \Prologue\Alerts\AlertsMessageBag $alert
* @param \Illuminate\Auth\AuthManager $authManager
* @param \Pterodactyl\Services\Users\UserUpdateService $updateService * @param \Pterodactyl\Services\Users\UserUpdateService $updateService
*/ */
public function __construct(AlertsMessageBag $alert, UserUpdateService $updateService) public function __construct(AlertsMessageBag $alert, AuthManager $authManager, UserUpdateService $updateService)
{ {
$this->alert = $alert; $this->alert = $alert;
$this->updateService = $updateService; $this->updateService = $updateService;
$this->sessionGuard = $authManager->guard();
} }
/** /**
@ -50,21 +59,26 @@ class AccountController extends Controller
* *
* @throws \Pterodactyl\Exceptions\Model\DataValidationException * @throws \Pterodactyl\Exceptions\Model\DataValidationException
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
* @throws \Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException
*/ */
public function update(AccountDataFormRequest $request) public function update(AccountDataFormRequest $request)
{ {
$data = []; // Prevent logging this specific session out when the password is changed. This will
// automatically update the user's password anyways, so no need to do anything else here.
if ($request->input('do_action') === 'password') { if ($request->input('do_action') === 'password') {
$data['password'] = $request->input('new_password'); $this->sessionGuard->logoutOtherDevices($request->input('new_password'));
} elseif ($request->input('do_action') === 'email') { } else {
$data['email'] = $request->input('new_email'); if ($request->input('do_action') === 'email') {
} elseif ($request->input('do_action') === 'identity') { $data = ['email' => $request->input('new_email')];
$data = $request->only(['name_first', 'name_last', 'username']); } elseif ($request->input('do_action') === 'identity') {
$data = $request->only(['name_first', 'name_last', 'username']);
} else {
$data = [];
}
$this->updateService->setUserLevel(User::USER_LEVEL_USER);
$this->updateService->handle($request->user(), $data);
} }
$this->updateService->setUserLevel(User::USER_LEVEL_USER);
$this->updateService->handle($request->user(), $data);
$this->alert->success(trans('base.account.details_updated'))->flash(); $this->alert->success(trans('base.account.details_updated'))->flash();
return redirect()->route('account'); return redirect()->route('account');

View file

@ -19,6 +19,7 @@ use Pterodactyl\Http\Middleware\Api\AuthenticateKey;
use Illuminate\Routing\Middleware\SubstituteBindings; use Illuminate\Routing\Middleware\SubstituteBindings;
use Pterodactyl\Http\Middleware\AccessingValidServer; use Pterodactyl\Http\Middleware\AccessingValidServer;
use Pterodactyl\Http\Middleware\Api\SetSessionDriver; use Pterodactyl\Http\Middleware\Api\SetSessionDriver;
use Illuminate\Session\Middleware\AuthenticateSession;
use Illuminate\View\Middleware\ShareErrorsFromSession; use Illuminate\View\Middleware\ShareErrorsFromSession;
use Pterodactyl\Http\Middleware\MaintenanceMiddleware; use Pterodactyl\Http\Middleware\MaintenanceMiddleware;
use Pterodactyl\Http\Middleware\RedirectIfAuthenticated; use Pterodactyl\Http\Middleware\RedirectIfAuthenticated;
@ -64,6 +65,7 @@ class Kernel extends HttpKernel
EncryptCookies::class, EncryptCookies::class,
AddQueuedCookiesToResponse::class, AddQueuedCookiesToResponse::class,
StartSession::class, StartSession::class,
AuthenticateSession::class,
ShareErrorsFromSession::class, ShareErrorsFromSession::class,
VerifyCsrfToken::class, VerifyCsrfToken::class,
SubstituteBindings::class, SubstituteBindings::class,

View file

@ -4,6 +4,8 @@ namespace Tests\Unit\Http\Controllers\Base;
use Mockery as m; use Mockery as m;
use Pterodactyl\Models\User; use Pterodactyl\Models\User;
use Illuminate\Auth\AuthManager;
use Illuminate\Auth\SessionGuard;
use Prologue\Alerts\AlertsMessageBag; use Prologue\Alerts\AlertsMessageBag;
use Pterodactyl\Services\Users\UserUpdateService; use Pterodactyl\Services\Users\UserUpdateService;
use Tests\Unit\Http\Controllers\ControllerTestCase; use Tests\Unit\Http\Controllers\ControllerTestCase;
@ -17,6 +19,16 @@ class AccountControllerTest extends ControllerTestCase
*/ */
protected $alert; protected $alert;
/**
* @var \Illuminate\Auth\AuthManager|\Mockery\Mock
*/
protected $authManager;
/**
* @var \Illuminate\Auth\SessionGuard|\Mockery\Mock
*/
protected $sessionGuard;
/** /**
* @var \Pterodactyl\Services\Users\UserUpdateService|\Mockery\Mock * @var \Pterodactyl\Services\Users\UserUpdateService|\Mockery\Mock
*/ */
@ -31,6 +43,10 @@ class AccountControllerTest extends ControllerTestCase
$this->alert = m::mock(AlertsMessageBag::class); $this->alert = m::mock(AlertsMessageBag::class);
$this->updateService = m::mock(UserUpdateService::class); $this->updateService = m::mock(UserUpdateService::class);
$this->authManager = m::mock(AuthManager::class);
$this->sessionGuard = m::mock(SessionGuard::class);
$this->authManager->shouldReceive('guard')->once()->andReturn($this->sessionGuard);
} }
/** /**
@ -50,13 +66,11 @@ class AccountControllerTest extends ControllerTestCase
public function testUpdateControllerForPassword() public function testUpdateControllerForPassword()
{ {
$this->setRequestMockClass(AccountDataFormRequest::class); $this->setRequestMockClass(AccountDataFormRequest::class);
$user = $this->generateRequestUserModel();
$this->request->shouldReceive('input')->with('do_action')->andReturn('password'); $this->request->shouldReceive('input')->with('do_action')->andReturn('password');
$this->request->shouldReceive('input')->with('new_password')->once()->andReturn('test-password'); $this->request->shouldReceive('input')->with('new_password')->once()->andReturn('test-password');
$this->sessionGuard->shouldReceive('logoutOtherDevices')->once()->with('test-password')->andReturnSelf();
$this->updateService->shouldReceive('setUserLevel')->with(User::USER_LEVEL_USER)->once()->andReturnNull();
$this->updateService->shouldReceive('handle')->with($user, ['password' => 'test-password'])->once()->andReturn(collect());
$this->alert->shouldReceive('success->flash')->once()->andReturnNull(); $this->alert->shouldReceive('success->flash')->once()->andReturnNull();
$response = $this->getController()->update($this->request); $response = $this->getController()->update($this->request);
@ -113,6 +127,6 @@ class AccountControllerTest extends ControllerTestCase
*/ */
private function getController(): AccountController private function getController(): AccountController
{ {
return new AccountController($this->alert, $this->updateService); return new AccountController($this->alert, $this->authManager, $this->updateService);
} }
} }