Ensure password resets revoke access to Streaming API

2024-11-23 16:44:04 -05:00 · 2024-01-17 20:38:21 +01:00 · 2024-01-17 20:38:21 +01:00 · ef3804a494
commit ef3804a494
parent 46d24cdfaa
2 changed files with 12 additions and 0 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@ -359,6 +359,13 @@ class User < ApplicationRecord
    Doorkeeper::AccessToken.by_resource_owner(self).in_batches do |batch|
      batch.update_all(revoked_at: Time.now.utc)
      Web::PushSubscription.where(access_token_id: batch).delete_all
+
+      # Revoke each access token for the Streaming API, since `update_all``
+      # doesn't trigger ActiveRecord Callbacks:
+      # TODO: #28793 Combine into a single topic
+      batch.each do |token|
+        redis.publish("timeline:access_token:#{token.id}", Oj.dump(event: :kill))
+      end
    end
  end

--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@ -439,6 +439,7 @@ RSpec.describe User do
    let!(:web_push_subscription) { Fabricate(:web_push_subscription, access_token: access_token) }

    before do
+      allow(redis).to receive_messages(publish: nil)
      user.reset_password!
    end

@ -454,6 +455,10 @@ RSpec.describe User do
      expect(Doorkeeper::AccessToken.active_for(user).count).to eq 0
    end

+    it 'revokes streaming access for all access tokens' do
+      expect(redis).to have_received(:publish).with("timeline:access_token:#{access_token.id}", Oj.dump(event: :kill)).once
+    end
+
    it 'removes push subscriptions' do
      expect(Web::PushSubscription.where(user: user).or(Web::PushSubscription.where(access_token: access_token)).count).to eq 0
    end