revoke access tokens on password change

8 years ago · 9fc028b3d7
parent 2e040f9c0c
commit 9fc028b3d7
3 changed files with 13 additions and 6 deletions
--- a/MediaBrowser.Api/UserService.cs
+++ b/MediaBrowser.Api/UserService.cs
@ -385,7 +385,7 @@ namespace MediaBrowser.Api
                throw new ResourceNotFoundException("User not found");
            }

-            await _sessionMananger.RevokeUserTokens(user.Id.ToString("N")).ConfigureAwait(false);
+            await _sessionMananger.RevokeUserTokens(user.Id.ToString("N"), null).ConfigureAwait(false);

            await _userManager.DeleteUser(user).ConfigureAwait(false);
        }
@ -465,6 +465,10 @@ namespace MediaBrowser.Api
                }

                await _userManager.ChangePassword(user, request.NewPassword).ConfigureAwait(false);
+
+                var currentToken = AuthorizationContext.GetAuthorizationInfo(Request).Token;
+
+                await _sessionMananger.RevokeUserTokens(user.Id.ToString("N"), currentToken).ConfigureAwait(false);
            }
        }

@ -602,7 +606,8 @@ namespace MediaBrowser.Api
                    throw new ArgumentException("There must be at least one enabled user in the system.");
                }

-                await _sessionMananger.RevokeUserTokens(user.Id.ToString("N")).ConfigureAwait(false);
+                var currentToken = AuthorizationContext.GetAuthorizationInfo(Request).Token;
+                await _sessionMananger.RevokeUserTokens(user.Id.ToString("N"), currentToken).ConfigureAwait(false);
            }

            await _userManager.UpdateUserPolicy(request.Id, request).ConfigureAwait(false);
--- a/MediaBrowser.Controller/Session/ISessionManager.cs
+++ b/MediaBrowser.Controller/Session/ISessionManager.cs
@ -315,9 +315,8 @@ namespace MediaBrowser.Controller.Session
        /// <summary>
        /// Revokes the user tokens.
        /// </summary>
-        /// <param name="userId">The user identifier.</param>
        /// <returns>Task.</returns>
-        Task RevokeUserTokens(string userId);
+        Task RevokeUserTokens(string userId, string currentAccessToken);

        /// <summary>
        /// Revokes the token.
--- a/MediaBrowser.Server.Implementations/Session/SessionManager.cs
+++ b/MediaBrowser.Server.Implementations/Session/SessionManager.cs
@ -1451,7 +1451,7 @@ namespace MediaBrowser.Server.Implementations.Session
            }
        }

-        public async Task RevokeUserTokens(string userId)
+        public async Task RevokeUserTokens(string userId, string currentAccessToken)
        {
            var existing = _authRepo.Get(new AuthenticationInfoQuery
            {
@ -1461,7 +1461,10 @@ namespace MediaBrowser.Server.Implementations.Session

            foreach (var info in existing.Items)
            {
-                await Logout(info.AccessToken).ConfigureAwait(false);
+                if (!string.Equals(currentAccessToken, info.AccessToken, StringComparison.OrdinalIgnoreCase))
+                {
+                    await Logout(info.AccessToken).ConfigureAwait(false);
+                }
            }
        }