[NEW] Logout other clients when changing password (#15927)

* [NEW] Logout other clients when changing password * If no connection available clear all login tokens * Bring connection info with token value to the REST endpoint calls * Move connection removal to finally
6 years ago · 3a5736e5fa
parent f1417cd575
commit 3a5736e5fa
2 changed files with 35 additions and 6 deletions
--- a/app/api/server/api.js
+++ b/app/api/server/api.js
@ -1,4 +1,5 @@
 import { Meteor } from 'meteor/meteor';
+import { Random } from 'meteor/random';
 import { DDPCommon } from 'meteor/ddp-common';
 import { DDP } from 'meteor/ddp';
 import { Accounts } from 'meteor/accounts-base';
@ -312,6 +313,13 @@ export class APIClass extends Restivus {
 						route: `${ this.request.route }${ this.request.method.toLowerCase() }`,
 					};
 					let result;
+
+					const connection = {
+						id: Random.id(),
+						close() {},
+						token: this.token,
+					};
+
 					try {
 						api.enforceRateLimit(objectForRateLimitMatch, this.request, this.response);

@ -321,7 +329,18 @@ export class APIClass extends Restivus {
 							});
 						}

-						result = originalAction.apply(this);
+						const invocation = new DDPCommon.MethodInvocation({
+							connection,
+							isSimulation: false,
+							userId: this.userId,
+						});
+
+						Accounts._accountData[connection.id] = {
+							connection,
+						};
+						Accounts._setAccountData(connection.id, 'loginToken', this.token);
+
+						result = DDP._CurrentInvocation.withValue(invocation, () => originalAction.apply(this));
 					} catch (e) {
 						logger.debug(`${ method } ${ route } threw an error:`, e.stack);

@ -331,6 +350,8 @@ export class APIClass extends Restivus {
 						}[e.error] || 'failure';

 						result = API.v1[apiMethod](e.message, e.error);
+					} finally {
+						delete Accounts._accountData[connection.id];
 					}

 					result = result || API.v1.success();
@ -545,6 +566,8 @@ const getUserAuth = function _getUserAuth(...args) {
 				token = Accounts._hashLoginToken(this.request.headers['x-auth-token']);
 			}

+			this.token = token;
+
 			return {
 				userId: this.request.headers['x-user-id'],
 				token,
--- a/server/methods/saveUserProfile.js
+++ b/server/methods/saveUserProfile.js
@ -17,13 +17,13 @@ Meteor.methods({
 			});
 		}

-		if (!Meteor.userId()) {
+		if (!this.userId) {
 			throw new Meteor.Error('error-invalid-user', 'Invalid user', {
 				method: 'saveUserProfile',
 			});
 		}

-		const user = Users.findOneById(Meteor.userId());
+		const user = Users.findOneById(this.userId);

 		function checkPassword(user = {}, typedPassword) {
 			if (!(user.services && user.services.password && user.services.password.bcrypt && user.services.password.bcrypt.trim())) {
@ -73,15 +73,21 @@ Meteor.methods({

 			passwordPolicy.validate(settings.newPassword);

-			Accounts.setPassword(Meteor.userId(), settings.newPassword, {
+			Accounts.setPassword(this.userId, settings.newPassword, {
 				logout: false,
 			});
+
+			try {
+				Meteor.call('removeOtherTokens');
+			} catch (e) {
+				Accounts._clearAllLoginTokens(this.userId);
+			}
 		}

-		Users.setProfile(Meteor.userId(), {});
+		Users.setProfile(this.userId, {});

 		if (customFields && Object.keys(customFields).length) {
-			saveCustomFields(Meteor.userId(), customFields);
+			saveCustomFields(this.userId, customFields);
 		}

 		return true;