Invalidate existing sessions when changing email or password
As we don't have any way to actually find the active sessions for an account we instead store a fingerprint in the session, and refuse to use any session with a different fingerprint.
This commit is contained in:
Tom Hughes
parent
c694c78c9a
commit
7db541d697
3 changed files with 21 additions and 1 deletions
|
|
@ -44,6 +44,7 @@
|
|||
#
|
||||
|
||||
class User < ApplicationRecord
|
||||
require "digest"
|
||||
require "xml/libxml"
|
||||
|
||||
has_many :traces, -> { where(:visible => true) }
|
||||
|
|
@ -306,6 +307,13 @@ class User < ApplicationRecord
|
|||
ClientApplication.find_by(:key => application_key).access_token_for_user(self)
|
||||
end
|
||||
|
||||
def fingerprint
|
||||
digest = Digest::SHA256.new
|
||||
digest.update(email)
|
||||
digest.update(pass_crypt)
|
||||
digest.hexdigest
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def set_defaults
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue