From dbb089315ff3d8aabc11445e78fb50765208b27d Mon Sep 17 00:00:00 2001 From: Igor Scheller Date: Sun, 17 Sep 2023 20:25:48 +0200 Subject: [PATCH] Delete all sessions on password reset --- src/Controllers/PasswordResetController.php | 2 ++ tests/Unit/Controllers/PasswordResetControllerTest.php | 9 +++++++++ 2 files changed, 11 insertions(+) diff --git a/src/Controllers/PasswordResetController.php b/src/Controllers/PasswordResetController.php index 694d4e0b..70a53d00 100644 --- a/src/Controllers/PasswordResetController.php +++ b/src/Controllers/PasswordResetController.php @@ -96,6 +96,8 @@ class PasswordResetController extends BaseController auth()->setPassword($reset->user, $data['password']); $reset->delete(); + $reset->user->sessions()->getQuery()->delete(); + return $this->showView('pages/password/reset-success', ['type' => 'reset']); } diff --git a/tests/Unit/Controllers/PasswordResetControllerTest.php b/tests/Unit/Controllers/PasswordResetControllerTest.php index c653f3c0..d714177c 100644 --- a/tests/Unit/Controllers/PasswordResetControllerTest.php +++ b/tests/Unit/Controllers/PasswordResetControllerTest.php @@ -15,6 +15,7 @@ use Engelsystem\Http\Request; use Engelsystem\Http\Response; use Engelsystem\Http\Validation\Validator; use Engelsystem\Mail\EngelsystemMailer; +use Engelsystem\Models\Session as SessionModel; use Engelsystem\Models\User\PasswordReset; use Engelsystem\Models\User\User; use Engelsystem\Renderer\Renderer; @@ -147,6 +148,8 @@ class PasswordResetControllerTest extends ControllerTest ['password' => $password, 'password_confirmation' => $password], ['token' => $token->token] ); + SessionModel::factory()->create(); // Some other session + SessionModel::factory(3)->create(['user_id' => $user->id]); $controller = $this->getController( 'pages/password/reset-success', @@ -162,6 +165,12 @@ class PasswordResetControllerTest extends ControllerTest $this->assertEmpty((new PasswordReset())->find($user->id)); $this->assertNotNull(auth()->authenticate($user->name, $password)); $this->assertHasNoNotifications(); + + $this->assertEmpty( + SessionModel::whereUserId($user->id)->get(), + 'All user sessions should be deleted after successful password reset' + ); + $this->assertCount(1, SessionModel::all()); // Another session should be still there } /**