tootlab-mastodon/app/controllers/concerns/user_tracking_concern.rb
Eugen Rochko 8532429af7
Fix 2FA/sign-in token sessions being valid after password change (#14802)
If someone tries logging in to an account and is prompted for a 2FA
code or sign-in token, even if the account's password or e-mail is
updated in the meantime, the session will show the prompt and allow
the login process to complete with a valid 2FA code or sign-in token
2020-11-12 23:05:01 +01:00

22 lines
469 B
Ruby

# frozen_string_literal: true
module UserTrackingConcern
extend ActiveSupport::Concern
UPDATE_SIGN_IN_HOURS = 24
included do
before_action :update_user_sign_in
end
private
def update_user_sign_in
current_user.update_sign_in!(request) if user_needs_sign_in_update?
end
def user_needs_sign_in_update?
user_signed_in? && (current_user.current_sign_in_at.nil? || current_user.current_sign_in_at < UPDATE_SIGN_IN_HOURS.hours.ago)
end
end