search

graphile / starter

Opinionated SaaS quick-start with pre-built user account and organization system for full-stack application development in React, Node.js, GraphQL and PostgreSQL. Powered by PostGraphile, TypeScript, Apollo Client, Graphile Worker, Graphile Migrate, GraphQL Code Generator, Ant Design and Next.js
https://graphile-starter.herokuapp.com
Other
1.74k stars 219 forks source link

Failure to Invalidate session after password change #276

Closed sudheendra17 closed 2 years ago

sudheendra17 commented 2 years ago

This issue is regarding invalidating a session after a password change

Steps to reproduce:

1) Go to https://graphile-starter.herokuapp.com 2)Create an account or login 3)Open another incognito tab and request a password change for the same account 4)Change the password for the account in the incognito tab 5)You can observe that the account in the original tab does not get logged out and is still active

IMPACT:

This issue can sometimes lead to an account takeover since the user is not aware of his password change. As a best practise it is always advised to invalidate the existing sessions after the password change.

benjie commented 2 years ago

We do send audit emails to let the user know that their password has been changed; but if you want to revoke existing sessions too then you can do so here:

https://github.com/graphile/starter/blob/b54f80c070793e18f0d2423bbaecfdb2ccebe23a/%40app/db/migrations/committed/000001.sql#L1229-L1235

with something like:

delete from app_private.sessions
where user_id = v_user.id
and sessions.uuid <> app_public.current_session_id();