Merge pull request #2909 from OpenC3/sessions

Logout when changing password to clear sessions

Author: jmthomas

openc3-cosmos-cmd-tlm-api/spec/controllers/auth_controller_spec.rb

@@ -57,6 +57,28 @@
     end
   end
 
+  describe "set" do
+    it "revokes old sessions and issues a new token on password change" do
+      # Set initial password and get a session token
+      post :set, params: { password: 'PASSWORD' }
+      expect(response).to have_http_status(:ok)
+      old_token = response.body
+      expect(old_token).not_to be_empty
+
+      # Change password
+      post :set, params: { password: 'PASSWORD2', old_password: 'PASSWORD' }
+      expect(response).to have_http_status(:ok)
+      new_token = response.body
+      expect(new_token).not_to be_empty
+      expect(new_token).not_to eq(old_token)
+
+      # Old token should be invalid
+      expect(OpenC3::AuthModel.verify(old_token)).to eq(false)
+      # New token should be valid
+      expect(OpenC3::AuthModel.verify(new_token)).to eq(true)
+    end
+  end
+
   describe "verify" do
     it "requires token" do
       post :verify

openc3/lib/openc3/models/auth_model.rb

@@ -109,6 +109,7 @@ def self.set(password, old_password, key = PRIMARY_KEY)
       Store.set(key, pw_hash)
       @@pw_hash_cache = nil
       @@pw_hash_cache_time = nil
+      logout
     end
 
     # Creates a new session token. DO NOT CALL BEFORE VERIFYING.

openc3/spec/models/auth_model_spec.rb

@@ -61,6 +61,14 @@ module OpenC3
         expect(AuthModel.verify(token)).to eq(false)
       end
 
+      it "revokes all sessions on password change" do
+        token = AuthModel.generate_session
+        expect(AuthModel.verify(token)).to eq(true)
+
+        AuthModel.set('newpassword', AUTH_INITIAL_PASSWORD)
+        expect(AuthModel.verify(token)).to eq(false)
+      end
+
       it "raises when stored password hash is SHA256" do
         @redis.set(PW_HASH_PRIMARY_KEY, Digest::SHA256.hexdigest(AUTH_INITIAL_PASSWORD))
         expect{ AuthModel.verify_no_service(AUTH_INITIAL_PASSWORD, mode: :any) }.to \