From 20cfa7b810c48292fe7fe0b1a84e92a301fb9fa8 Mon Sep 17 00:00:00 2001 From: Bianca Nenciu Date: Sat, 7 Mar 2020 15:04:12 +0200 Subject: [PATCH] FIX: Check if auth token exists before revocation (#9095) --- app/controllers/users_controller.rb | 2 +- spec/requests/users_controller_spec.rb | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 5b7bbc70222..6afac2bacb9 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -1347,7 +1347,7 @@ class UsersController < ApplicationController if params[:token_id] token = UserAuthToken.find_by(id: params[:token_id], user_id: user.id) # The user should not be able to revoke the auth token of current session. - raise Discourse::InvalidParameters.new(:token_id) if guardian.auth_token == token.auth_token + raise Discourse::InvalidParameters.new(:token_id) if !token || guardian.auth_token == token.auth_token UserAuthToken.where(id: params[:token_id], user_id: user.id).each(&:destroy!) MessageBus.publish "/file-change", ["refresh"], user_ids: [user.id] diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb index 7a15170e38f..05077074820 100644 --- a/spec/requests/users_controller_spec.rb +++ b/spec/requests/users_controller_spec.rb @@ -3935,6 +3935,20 @@ describe UsersController do expect(user.user_auth_tokens.first.id).to eq(ids[1]) end + it 'checks if token exists' do + ids = user.user_auth_tokens.order(:created_at).pluck(:id) + + post "/u/#{user.username}/preferences/revoke-auth-token.json", + params: { token_id: ids[0] } + + expect(response.status).to eq(200) + + post "/u/#{user.username}/preferences/revoke-auth-token.json", + params: { token_id: ids[0] } + + expect(response.status).to eq(400) + end + it 'does not let user log out of current session' do token = UserAuthToken.generate!(user_id: user.id) env = Rack::MockRequest.env_for("/", "HTTP_COOKIE" => "_t=#{token.unhashed_auth_token};")