From b1824d3dceb92d8de12ba3e98df7d3a9584e33e7 Mon Sep 17 00:00:00 2001 From: Zach Margolis Date: Mon, 14 Sep 2020 08:54:44 -0700 Subject: [PATCH 1/2] Forget remembered browsers after RISC password reset (LG-3120) --- app/services/device_tracking/forget_all_browsers.rb | 4 ++-- app/services/reset_user_password.rb | 13 +++++++++++-- spec/services/reset_user_password_spec.rb | 12 ++++++++++-- 3 files changed, 23 insertions(+), 6 deletions(-) diff --git a/app/services/device_tracking/forget_all_browsers.rb b/app/services/device_tracking/forget_all_browsers.rb index 74bae6538b2..2fb47b21a9e 100644 --- a/app/services/device_tracking/forget_all_browsers.rb +++ b/app/services/device_tracking/forget_all_browsers.rb @@ -2,9 +2,9 @@ module DeviceTracking class ForgetAllBrowsers attr_reader :user, :remember_device_revoked_at - def initialize(user, remember_device_revoked_at: Time.zone.now) + def initialize(user, remember_device_revoked_at: nil) @user = user - @remember_device_revoked_at = remember_device_revoked_at + @remember_device_revoked_at = remember_device_revoked_at || Time.zone.now end def call diff --git a/app/services/reset_user_password.rb b/app/services/reset_user_password.rb index 8fdca01d7b4..87e3b15805b 100644 --- a/app/services/reset_user_password.rb +++ b/app/services/reset_user_password.rb @@ -1,22 +1,31 @@ class ResetUserPassword - def initialize(user:) + def initialize(user:, remember_device_revoked_at: nil) @user = user + @remember_device_revoked_at = remember_device_revoked_at end def call reset_user_password + forget_all_browsers log_event notify_user end private - attr_reader :user + attr_reader :user, :remember_device_revoked_at def reset_user_password user.update!(password: SecureRandom.hex(8)) end + def forget_all_browsers + DeviceTracking::ForgetAllBrowsers.new( + user, + remember_device_revoked_at: remember_device_revoked_at + ).call + end + def log_event UserEventCreator.new(current_user: user). create_out_of_band_user_event(:password_invalidated) diff --git a/spec/services/reset_user_password_spec.rb b/spec/services/reset_user_password_spec.rb index b1dc4d25f57..0b07529d534 100644 --- a/spec/services/reset_user_password_spec.rb +++ b/spec/services/reset_user_password_spec.rb @@ -1,8 +1,11 @@ require 'rails_helper' RSpec.describe ResetUserPassword do - subject(:reset_user_password) { ResetUserPassword.new(user: user) } - let(:user) { create(:user, :with_multiple_emails) } + subject(:reset_user_password) do + ResetUserPassword.new(user: user, remember_device_revoked_at: now) + end + let(:user) { create(:user, :with_multiple_emails, encrypted_password_digest: 30.days.from_now) } + let(:now) { Time.zone.now } describe '#call' do subject(:call) { reset_user_password.call } @@ -23,5 +26,10 @@ mails = ActionMailer::Base.deliveries.last(2) expect(mails.map(&:to).flatten).to match_array(user.email_addresses.map(&:email)) end + + it 'clears all remembered browsers by updating the remember_device_revoked_at timestamp' do + expect { call }. + to(change { user.reload.remember_device_revoked_at.to_i }.to(now.to_i)) + end end end From c2721cc91b6f11bec931ea378d3a1eb33d158d61 Mon Sep 17 00:00:00 2001 From: Zach Margolis Date: Mon, 14 Sep 2020 09:03:06 -0700 Subject: [PATCH 2/2] rubocop: comma --- app/services/reset_user_password.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/services/reset_user_password.rb b/app/services/reset_user_password.rb index 87e3b15805b..0f1cceb6356 100644 --- a/app/services/reset_user_password.rb +++ b/app/services/reset_user_password.rb @@ -22,7 +22,7 @@ def reset_user_password def forget_all_browsers DeviceTracking::ForgetAllBrowsers.new( user, - remember_device_revoked_at: remember_device_revoked_at + remember_device_revoked_at: remember_device_revoked_at, ).call end