Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: normal logout affects all sessions #3571

Merged
merged 1 commit into from
Feb 21, 2023
Merged

fix: normal logout affects all sessions #3571

merged 1 commit into from
Feb 21, 2023

Conversation

rob006
Copy link
Contributor

@rob006 rob006 commented Jul 28, 2022

Changes proposed in this pull request:

Previously all user tokens were deleted, which logouts from all sessions. After this change logout only works for current session.

Necessity

  • Has the problem that is being solved here been clearly explained?
  • If applicable, have various options for solving this problem been considered?
  • For core PRs, does this need to be in core, or could it be in an extension?
  • Are we willing to maintain this for years / potentially forever?

Confirmed

  • Frontend changes: tested on a local Flarum installation.
  • Backend changes: tests are green (run composer test).
  • Core developer confirmed locally this works as intended.
  • Tests have been added, or are not appropriate here.

Required changes:

  • Related documentation PR: (Remove if irrelevant)
  • Related core extension PRs: (Remove if irrelevant)

@rob006
On logout delete only access token related to current session
22ebac5 
Previously all user tokens were deleted, which logouts from all sessions.
@davwheat
Copy link
Member

I think that if we choose to make this change, we should have a new option in a user's settings page to "log out from all devices" for security reasons. Maybe also a count of active session tokens, too?

@rob006
Copy link
Contributor Author

rob006 commented Jul 29, 2022

I don't think that having "log out from all devices" feature is a blocker for this PR. Such feature could be handled by extension, while current logout behavior is just really weird and I doubt it was intentional.

@SychO9
Copy link
Member

SychO9 commented Jul 29, 2022

If we make this change though, a user effectively has no way of logging out from other signed-in devices, which is a security concern. So the idea of first introducing a way to logout from all sessions, then make this change, makes sense. I believe this is also a feature in our security roadmap.

@davwheat
Copy link
Member

davwheat commented Jul 29, 2022
edited
Loading

Yeah, the potential security implications is my concern for this PR, hence why I see it as blocking.

@matteocontrini
Copy link
Contributor

There was #2074 by @clarkwinkelmann that introduced a more advanced GUI for managing sessions. Ideally that would be the best solution, I guess.

@SychO9
Copy link
Member

SychO9 commented Aug 1, 2022

Yup, I'll be bringing that back to life in the next few days as part of the security roadmap. So let's close this for now.

@SychO9 SychO9 closed this Aug 1, 2022
@rob006 rob006 deleted the patch-1 branch August 3, 2022 14:59
@SychO9
Copy link
Member

SychO9 commented Feb 21, 2023

@rob006 could you please revive this now that we have #3605 merged?

@rob006 rob006 restored the patch-1 branch February 21, 2023 14:34
@rob006
Copy link
Contributor Author

rob006 commented Feb 21, 2023

@SychO9 I restored branch, but I can't reopen this PR.

@SychO9 SychO9 reopened this Feb 21, 2023
@SychO9 SychO9 requested a review from a team as a code owner February 21, 2023 14:36
@SychO9 SychO9 changed the title On logout delete only access token related to current session fix: normal logout affects all sessions Feb 21, 2023
@SychO9 SychO9 added this to the 1.7 milestone Feb 21, 2023
@SychO9 SychO9 merged commit 79a9b23 into flarum:main Feb 21, 2023
@rob006 rob006 deleted the patch-1 branch February 21, 2023 20:29
@luceos luceos mentioned this pull request Mar 2, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SychO9 SychO9 SychO9 approved these changes

@luceos luceos luceos approved these changes

Assignees
No one assigned
Labels
type/bug
Projects
None yet
Milestone
1.7
Development

Successfully merging this pull request may close these issues.
5 participants
@rob006 @davwheat @SychO9 @matteocontrini @luceos