Skip to content

Commit

Permalink
Fix security issue 580
Browse files Browse the repository at this point in the history
  • Loading branch information
@loay
loay committed Jul 22, 2016
1 parent 7ed003e commit b53a22b
Show file tree
Hide file tree
Showing 2 changed files with 102 additions and 0 deletions.
15 changes: 15 additions & 0 deletions common/models/user.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -301,6 +301,21 @@ module.exports = function(User) {
return fn.promise;
};

User.observe('before delete', function(ctx, next) {
var AccessToken = ctx.Model.relations.accessTokens.modelTo;
var pkName = ctx.Model.definition.idName() || 'id';
ctx.Model.find({ where: ctx.where, fields: [pkName] }, function(err, list) {
if (err) return next(err);

var ids = list.map(function(u) { return u[pkName]; });
ctx.where = {};
ctx.where[pkName] = { inq: ids };

AccessToken.destroyAll({ userId: { inq: ids }}, next);
console.log('Deleted token for users ', ids);
});
});

/**
* Compare the given `password` with the users hashed password.
*
Expand Down
87 changes: 87 additions & 0 deletions test/user.test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
require('./support');
var loopback = require('../');
var User, AccessToken;
var async = require('async');

describe('User', function() {
var validCredentialsEmail = '[email protected]';
Expand Down Expand Up @@ -214,6 +215,92 @@ describe('User', function() {
assert(u2.password === u1.password);
});

it('invalidates the user\'s accessToken when the user is deleted By id', function(done) {
var usersId;
async.series([
function(next) {
User.create({ email: '[email protected]', password: 'bar' }, function(err, user) {
usersId = user.id;
next(err);
});
},
function(next) {
User.login({ email: '[email protected]', password: 'bar' }, function(err, accessToken) {
if (err) return next(err);
assert(accessToken.userId);
next();
});
},
function(next) {
User.deleteById(usersId, function(err) {
next(err);
});
},
function(next) {
User.findById(usersId, function(err, userFound) {
if (err) return next(err);
expect(userFound).to.equal(null);
AccessToken.find({ where: { userId: usersId }}, function(err, tokens) {
if (err) return next(err);
expect(tokens.length).to.equal(0);
next();
});
});
},
], function(err) {
if (err) return done(err);
done();
});
});

it('invalidates the user\'s accessToken when the user is deleted all', function(done) {
var usersId, accessTokenId;
async.series([
function(next) {
User.create([{ name: 'myname', email: '[email protected]', password: 'bar' },
{ name: 'myname', email: '[email protected]', password: 'bar' }], function(err, user) {
usersId = user.id;
next(err);
});
},
function(next) {
User.login({ email: '[email protected]', password: 'bar' }, function(err, accessToken) {
accessTokenId = accessToken.userId;
if (err) return next (err);
assert(accessTokenId);
next();
});
},
function(next) {
User.login({ email: '[email protected]', password: 'bar' }, function(err, accessToken) {
accessTokenId = accessToken.userId;
if (err) return next (err);
assert(accessTokenId);
next();
});
},
function(next) {
User.deleteAll({ name: 'myname' }, function(err, user) {
next(err);
});
},
function(next) {
User.find({ where: { name: 'myname' }}, function(err, userFound) {
if (err) return next (err);
expect(userFound.length).to.equal(0);
AccessToken.find({ where: { userId: usersId }}, function(err, tokens) {
if (err) return next(err);
expect(tokens.length).to.equal(0);
next();
});
});
},
], function(err) {
if (err) return done(err);
done();
});
});

describe('custom password hash', function() {
var defaultHashPassword, defaultValidatePassword;

Expand Down

0 comments on commit b53a22b

Please sign in to comment.