dkam/clinch
1
0
Fork 0
Code Issues 7 Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Enforce account-active status across the auth lifecycle

Browse Source 
active? was only checked at the password step of sign-in. A user disabled
afterwards could (a) still complete the 2FA step and mint a valid session, and
(b) keep using any existing session until natural expiry, because per-request
auth only checked session expiry, not user status.

Three enforcement points:
- Mid-flow guard: verify_totp and webauthn_verify re-check active? before
  start_new_session_for, clearing the pending session and rejecting if disabled.
- Request-time guard: find_session_by_cookie now uses Session.for_active_user,
  so a session whose user is disabled no longer authenticates (authoritative,
  catches any disable path including direct DB changes).
- Immediate cleanup: User#revoke_sessions_when_deactivated destroys a user's
  sessions when status changes away from active, so access is revoked everywhere
  at once rather than on the next request.

Tests cover the mid-flow TOTP rejection, request-time rejection of an existing
session after disable, session destruction on disable, and that unrelated
updates leave sessions intact.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Dan Milne
2026-06-11 19:53:50 +10:00
parent 57d7d1f691
commit 89bd5f1432
6 changed files with 98 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
test/models/user_test.rb
View File

@@ -1,6 +1,27 @@
require "test_helper"
class UserTest < ActiveSupport::TestCase
test "disabling a user destroys their active sessions" do
user = User.create!(email_address: "disable_sessions@example.com", password: "password123")
user.sessions.create!
user.sessions.create!
assert_equal 2, user.sessions.count
user.update!(status: :disabled)
assert_equal 0, user.reload.sessions.count
end
test "reactivating or other updates do not destroy sessions" do
user = User.create!(email_address: "keep_sessions@example.com", password: "password123")
user.sessions.create!
# An update that does not change status must leave sessions intact.
user.update!(username: "keepsessions")
assert_equal 1, user.reload.sessions.count
end
test "downcases and strips email_address" do
user = User.new(email_address: " DOWNCASED@EXAMPLE.COM ")
assert_equal("downcased@example.com", user.email_address)