2fa-session-reset.patch

Holger Just, 2021-06-14 11:18

Download (1.24 KB)

View differences:

app/controllers/twofa_controller.rb
47 47

  
48 48
  def activate
49 49
    if @twofa.confirm_pairing!(params[:twofa_code].to_s)
50
      # The session token was destroyed by the twofa pairing, generate a new one
51
      session[:tk] = @user.generate_session_token
50 52
      flash[:notice] = l('twofa_activated', bc_path: my_twofa_backup_codes_init_path)
51 53
      redirect_to my_account_path
52 54
    else
app/models/user.rb
916 916
  # This helps to keep the account secure in case the associated email account
917 917
  # was compromised.
918 918
  def destroy_tokens
919
    if saved_change_to_hashed_password? || (saved_change_to_status? && !active?)
919
    if saved_change_to_hashed_password? || (saved_change_to_status? && !active?) || (saved_change_to_twofa_scheme? && twofa_scheme.present?)
920 920
      tokens = ['recovery', 'autologin', 'session']
921 921
      Token.where(:user_id => id, :action => tokens).delete_all
922 922
    end