Bug: Valid Refresh Tokens despite user changing password

Fixes anitab-org#903
tichnas · Jan 4, 2021 · 9872c7e · 9872c7e
1 parent 27c0337
commit 9872c7e
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 4 deletions.
diff --git a/app/api/resources/user.py b/app/api/resources/user.py
@@ -408,8 +408,13 @@ def post(cls):
         The return value is an access token and the expiry timestamp.
         The token is valid for 1 week.
         """
-        user_id = get_jwt_identity()
-        access_token = create_access_token(identity=user_id)
+        req_user = get_jwt_identity()
+        user = DAO.get_user(req_user["id"])
+
+        if user.password_hash != req_user["password"]:
+            return messages.TOKEN_IS_INVALID, HTTPStatus.UNAUTHORIZED
+
+        access_token = create_access_token(identity=req_user["id"])
 
         from run import application
 
@@ -472,7 +477,9 @@ def post(cls):
             )
 
         access_token = create_access_token(identity=user.id)
-        refresh_token = create_refresh_token(identity=user.id)
+        refresh_token = create_refresh_token(
+            identity={"id": user.id, "password": user.password_hash}
+        )
 
         from run import application
 

diff --git a/tests/users/test_api_refresh.py b/tests/users/test_api_refresh.py
@@ -2,6 +2,7 @@
 from datetime import timedelta
 
 from flask import json
+from http import HTTPStatus
 
 from app import messages
 from app.database.sqlalchemy_extension import db
@@ -31,7 +32,10 @@ def setUp(self):
 
     def test_user_refresh(self):
         with self.client:
-            refresh_header = get_test_request_header(user1["username"], refresh=True)
+            refresh_header = get_test_request_header(
+                {"id": self.first_user.id, "password": self.first_user.password_hash},
+                refresh=True,
+            )
             response = self.client.post(
                 "/refresh",
                 headers=refresh_header,
@@ -83,6 +87,22 @@ def test_user_refresh_expired_token(self):
         self.assertEqual(401, actual_response.status_code)
         self.assertEqual(expected_response, json.loads(actual_response.data))
 
+    def test_user_refresh_reset_password(self):
+        refresh_header = get_test_request_header(
+            {"id": self.first_user.id, "password": "new_password_hash"},
+            refresh=True,
+        )
+        expected_response = messages.TOKEN_IS_INVALID
+        actual_response = self.client.post(
+            "/refresh",
+            follow_redirects=True,
+            headers=refresh_header,
+            content_type="application/json",
+        )
+
+        self.assertEqual(HTTPStatus.UNAUTHORIZED, actual_response.status_code)
+        self.assertEqual(expected_response, json.loads(actual_response.data))
+
 
 if __name__ == "__main__":
     unittest.main()