Ensure password resets revoke access to Streaming API

This commit is contained in:
Emelia Smith 2024-01-17 20:38:21 +01:00 committed by Claire
parent 8d9714a576
commit 485087efee
2 changed files with 12 additions and 0 deletions

View File

@ -359,6 +359,13 @@ class User < ApplicationRecord
Doorkeeper::AccessToken.by_resource_owner(self).in_batches do |batch|
batch.update_all(revoked_at: Time.now.utc)
Web::PushSubscription.where(access_token_id: batch).delete_all
# Revoke each access token for the Streaming API, since `update_all``
# doesn't trigger ActiveRecord Callbacks:
# TODO: #28793 Combine into a single topic
batch.each do |token|
redis.publish("timeline:access_token:#{token.id}", Oj.dump(event: :kill))
end
end
end

View File

@ -439,6 +439,7 @@ RSpec.describe User do
let!(:web_push_subscription) { Fabricate(:web_push_subscription, access_token: access_token) }
before do
allow(redis).to receive_messages(publish: nil)
user.reset_password!
end
@ -454,6 +455,10 @@ RSpec.describe User do
expect(Doorkeeper::AccessToken.active_for(user).count).to eq 0
end
it 'revokes streaming access for all access tokens' do
expect(redis).to have_received(:publish).with("timeline:access_token:#{access_token.id}", Oj.dump(event: :kill)).once
end
it 'removes push subscriptions' do
expect(Web::PushSubscription.where(user: user).or(Web::PushSubscription.where(access_token: access_token)).count).to eq 0
end