You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have an app where remove_tokens_after_password_reset is true. I discover that my password has been compromised, so I go from the web ui, and change the password for a user. The last password token of the user still remains. This means the hacker who hacked my password can still access my app using the stale token.
I believe the tokens should be cleared including the last token, in this scenario. i.e, something like:
def remove_tokens_after_password_reset
should_remove_old_tokens = DeviseTokenAuth.remove_tokens_after_password_reset &&
encrypted_password_changed? && self.tokens.any?
if should_remove_old_tokens
self.tokens = '{}'
self.save!
end
end
Please let me know if I am misunderstanding this setting, and what is the best way to ensure a mobile app cannot use tokens based on old password after password reset.
The text was updated successfully, but these errors were encountered:
I have an app where remove_tokens_after_password_reset is true. I discover that my password has been compromised, so I go from the web ui, and change the password for a user. The last password token of the user still remains. This means the hacker who hacked my password can still access my app using the stale token.
The problem seems to be in the below code from https://github.com/lynndylanhurley/devise_token_auth/blob/15bf7857eca2d33602c7a9cb9d08db8a160f8ab8/app/models/devise_token_auth/concerns/user.rb
I believe the tokens should be cleared including the last token, in this scenario. i.e, something like:
Please let me know if I am misunderstanding this setting, and what is the best way to ensure a mobile app cannot use tokens based on old password after password reset.
The text was updated successfully, but these errors were encountered: