Browse Source

fix: invalidate all refresh token and populate a new token for current session on password change

Signed-off-by: Pranav C <pranavxc@gmail.com>
pull/9176/head
Pranav C 5 months ago
parent
commit
7795f0405d
  1. 5
      packages/nocodb/src/modules/auth/auth.controller.ts
  2. 3
      packages/nocodb/src/services/users/users.service.ts

5
packages/nocodb/src/modules/auth/auth.controller.ts

@ -140,7 +140,7 @@ export class AuthController {
scope: 'org',
})
@HttpCode(200)
async passwordChange(@Req() req: NcRequest): Promise<any> {
async passwordChange(@Req() req: NcRequest, @Res() res): Promise<any> {
if (!(req as any).isAuthenticated?.()) {
NcError.forbidden('Not allowed');
}
@ -151,6 +151,9 @@ export class AuthController {
body: req.body,
});
// set new refresh token
await this.setRefreshToken({ req, res });
return { msg: 'Password has been updated successfully' };
}

3
packages/nocodb/src/services/users/users.service.ts

@ -201,6 +201,9 @@ export class UsersService {
token_version: randomTokenString(),
});
// delete all refresh token and populate a new one
await UserRefreshToken.deleteAllUserToken(user.id);
this.appHooksService.emit(AppEvents.USER_PASSWORD_CHANGE, {
user: user,
ip: param.req?.clientIp,

Loading…
Cancel
Save