Revoke authentication tokens when a user is deleted

2022-12-23 16:24:10 +00:00 · 2022-12-23 16:24:10 +00:00 · 445e8162e9
commit 445e8162e9
parent 18c2bf62ae
1 changed files with 8 additions and 0 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -210,6 +210,7 @@ class User < ApplicationRecord
    # Mark the account as deleted and remove personal data
    event :soft_destroy do
      before do
+        revoke_authentication_tokens
        remove_personal_data
      end

@ -299,6 +300,13 @@ class User < ApplicationRecord
    blocks.active.detect(&:needs_view?)
  end

+  ##
+  # revoke any authentication tokens
+  def revoke_authentication_tokens
+    oauth_tokens.authorized.each(&:invalidate!)
+    access_tokens.not_expired.each(&:revoke)
+  end
+
  ##
  # remove personal data - leave the account but purge most personal data
  def remove_personal_data