Invalidate external login session on removal of provider (16)#19289
Merged
Migaroez merged 4 commits intorelease/16.0from May 19, 2025
Merged
Conversation
… purging sessions associated with removed login providers.
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR forward ports security session invalidation functionality for external logins to Umbraco 16 with two key enhancements: eliminating circular dependency issues by centralizing session purge operations and adding a token purge step.
- Refactor session invalidation logic to be triggered from IExternalLoginWithKeyService.
- Add tests for IntExtensions and update related service implementations and dependency injections.
Reviewed Changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/Umbraco.Tests.UnitTests/Umbraco.Core/Extensions/IntExtensionsTests.cs | Added unit tests for integer to GUID conversion extensions. |
| src/Umbraco.Web.Common/Security/ConfigureSecurityStampOptions.cs | Adjusted validation interval check by comparing to a default instance. |
| src/Umbraco.Infrastructure/Persistence/Repositories/Implement/UserRepository.cs | Added session invalidation and token deletion logic for removed login providers. |
| src/Umbraco.Infrastructure/Persistence/Repositories/Implement/ExternalLoginRepository.cs | Introduced deletion method for removed external login providers. |
| src/Umbraco.Core/Services/IExternalLoginWithKeyService.cs, ExternalLoginService.cs | Added new PurgeLoginsForRemovedProviders functionality. |
| src/Umbraco.Core/Extensions/IntExtensions.cs | Added TryParseFromGuid method and enhanced documentation. |
| src/Umbraco.Core/Configuration/Models/SecuritySettings.cs | Updated access level of internal constants. |
| src/Umbraco.Cms.Api.Management/Security/BackOfficeExternalLoginProviders.cs | Modified provider handling and added session invalidation on provider change. |
| Other files | Updated interface defaults, notification handler, and dependency registration to support these changes. |
src/Umbraco.Infrastructure/Persistence/Repositories/Implement/UserRepository.cs
Outdated
Show resolved
Hide resolved
Migaroez
deleted the
v16/bugfix/invalidate-external-login-tokens-on-provider-change
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Prerequisites
Description
This is a forward port of #19273 for Umbraco 16.
There are two differences from the 13 implementation:
BackOfficeExternalLoginProvidersonIUserServicethat we added in 13 is now removed, and instead all session purge operations are triggered fromIExternalLoginWithKeyService.umbracoOpenIddictTokenstable that relate to the current user.Testing
The same process for testing as indicated on the linked PR can be used.