While OAuth tokens were immediately revoked, accessing the home
controller immediately generated new OAuth tokens and "revived"
the session due to a combination of using remember_me tokens and
overwriting the `authenticate_user!` method
def update
super do |resource|
- resource.session_activations.destroy_all if resource.errors.empty?
+ if resource.errors.empty?
+ resource.session_activations.destroy_all
+ resource.forget_me!
+ end
end
end
# frozen_string_literal: true
class Auth::RegistrationsController < Devise::RegistrationsController
+ include Devise::Controllers::Rememberable
+
layout :determine_layout
before_action :set_invite, only: [:new, :create]
def update
super do |resource|
- resource.clear_other_sessions(current_session.session_id) if resource.saved_change_to_encrypted_password?
+ if resource.saved_change_to_encrypted_password?
+ resource.clear_other_sessions(current_session.session_id)
+ resource.forget_me!
+ remember_me(resource)
+ end
end
end
# frozen_string_literal: true
class HomeController < ApplicationController
+ before_action :redirect_unauthenticated_to_permalinks!
before_action :authenticate_user!
before_action :set_referrer_policy_header
private
- def authenticate_user!
+ def redirect_unauthenticated_to_permalinks!
return if user_signed_in?
matches = request.path.match(/\A\/web\/(statuses|accounts)\/([\d]+)\z/)
end
matches = request.path.match(%r{\A/web/timelines/tag/(?<tag>.+)\z})
+
redirect_to(matches ? tag_path(CGI.unescape(matches[:tag])) : default_redirect_path)
end
cat aescling's git repositories / mastodon.git / commitdiff