Skip to content

Invalidate AccessTokens on password change [2.x]#3021

Merged
bajtos merged 1 commit into
2.xfrom
fix/session-expiry-2x
Dec 12, 2016
Merged

Invalidate AccessTokens on password change [2.x]#3021
bajtos merged 1 commit into
2.xfrom
fix/session-expiry-2x

Conversation

@bajtos

@bajtos bajtos commented Dec 12, 2016

Copy link
Copy Markdown
Member

Invalidate all existing sessions (delete all access tokens) after user's password was changed.

This is a back-port of #3018

Connect to strongloop-internal/scrum-loopback#925

cc @loay

@bajtos bajtos self-assigned this Dec 12, 2016
@bajtos bajtos added the #review label Dec 12, 2016
@bajtos
Invalidate AccessTokens on password change
4ee086d 
Invalidate all existing sessions (delete all access tokens)
after user's password was changed.
@bajtos bajtos force-pushed the fix/session-expiry-2x branch from 238cab0 to 4ee086d Compare December 12, 2016 12:58
@bajtos bajtos merged commit 5200b28 into 2.x Dec 12, 2016
@bajtos bajtos deleted the fix/session-expiry-2x branch December 12, 2016 13:59
@bajtos bajtos removed the #review label Dec 12, 2016
@bajtos bajtos changed the title Invalidate AccessTokens on password change Invalidate AccessTokens on password change [2.x] Dec 12, 2016
This was referenced Dec 16, 2016
Closed
Merged
@doublemarked doublemarked mentioned this pull request Dec 20, 2016
Closed
3 tasks
@pelim

pelim commented Jan 4, 2017

Copy link
Copy Markdown

this change results in invalidating the tokens on User.save() - please revert this change v2.36.0 works finde for me

@bajtos

bajtos commented Jan 4, 2017

Copy link
Copy Markdown
Member Author

@pelim could you please open a new issue with steps for reproducing the problem? See also #3034 and #3068

@bajtos

bajtos commented Jan 4, 2017

Copy link
Copy Markdown
Member Author

@pelim is your problem perhaps related to #3053?

@iicy90

iicy90 commented Jan 19, 2017
edited
Loading

Copy link
Copy Markdown

@bajtos I have experienced the same issue, calling User.save() remove all current access tokens even not change user email or password.

in common/models/user.js:
var isFullReplaceChangingPassword = !!ctx.instance;
ctx.instance always true when you do User.save()
var isFullReplaceChangingPassword = !!ctx.instance;
ctx.hookState.isPasswordChange = isPartialUpdateChangingPassword || isFullReplaceChangingPassword;

@bajtos

bajtos commented Jan 20, 2017

Copy link
Copy Markdown
Member Author

@icy90 I see. Please open a new github issue for this problem, so that we can move the discussion there, and mention my handle there so that I get email notification.

@iicy90 iicy90 mentioned this pull request Jan 20, 2017
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@bajtos bajtos

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bajtos @pelim @iicy90