From ede06ffd439263c36ce7fad125efe556a1e8524f Mon Sep 17 00:00:00 2001 From: Natalie Tay Date: Mon, 14 Oct 2024 12:39:20 +0800 Subject: [PATCH] FIX: Allow user to log in another account using the same device (client_id) (#29121) Allow user to log in another account using the same device (client_id) --- app/controllers/user_api_keys_controller.rb | 3 +-- .../requests/user_api_keys_controller_spec.rb | 20 +++++++++++++++++++ 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/app/controllers/user_api_keys_controller.rb b/app/controllers/user_api_keys_controller.rb index 65334c6195d..f1bea047542 100644 --- a/app/controllers/user_api_keys_controller.rb +++ b/app/controllers/user_api_keys_controller.rb @@ -61,8 +61,7 @@ class UserApiKeysController < ApplicationController @application_name = params[:application_name] scopes = params[:scopes].split(",") - # destroy any old keys we had - UserApiKey.where(user_id: current_user.id, client_id: params[:client_id]).destroy_all + UserApiKey.where(client_id: params[:client_id]).destroy_all key = UserApiKey.create!( diff --git a/spec/requests/user_api_keys_controller_spec.rb b/spec/requests/user_api_keys_controller_spec.rb index b290455a6a3..194c84dc9cf 100644 --- a/spec/requests/user_api_keys_controller_spec.rb +++ b/spec/requests/user_api_keys_controller_spec.rb @@ -294,6 +294,26 @@ RSpec.describe UserApiKeysController do uri = URI.parse(response.redirect_url) expect(uri.to_s).to include(query_str) end + + it "revokes API key when client_id used by another user" do + user1 = Fabricate(:trust_level_0) + user2 = Fabricate(:trust_level_0) + key = Fabricate(:user_api_key, user: user1) + + SiteSetting.user_api_key_allowed_groups = Group::AUTO_GROUPS[:trust_level_0] + SiteSetting.allowed_user_api_auth_redirects = args[:auth_redirect] + SiteSetting.allowed_user_api_push_urls = "https://push.it/here" + args[:client_id] = key.client_id + args[:scopes] = "push,notifications,message_bus,session_info,one_time_password" + args[:push_url] = "https://push.it/here" + + sign_in(user2) + + post "/user-api-key.json", params: args + + expect(response.status).to eq(302) + expect(UserApiKey.exists?(key.id)).to eq(false) + end end describe "#create-one-time-password" do