Fix changing a user password to not incorrectly handle logging out old sessions; closes #3531

2021-08-15 17:37:12 -07:00 · 2021-08-15 17:37:12 -07:00 · 2b3303c46b
commit 2b3303c46b
parent 25d9ba4779
5 changed files with 32 additions and 28 deletions
--- a/app/Http/Controllers/Api/Client/AccountController.php
+++ b/app/Http/Controllers/Api/Client/AccountController.php
@ -58,12 +58,17 @@ class AccountController extends ClientApiController
     * Update the authenticated user's password. All existing sessions will be logged
     * out immediately.
     *
-     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
-     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     * @throws \Throwable
     */
    public function updatePassword(UpdatePasswordRequest $request): JsonResponse
    {
-        $this->updateService->handle($request->user(), $request->validated());
+        $user = $this->updateService->handle($request->user(), $request->validated());
+
+        // If you do not update the user in the session you'll end up working with a
+        // cached copy of the user that does not include the updated password. Do this
+        // to correctly store the new user details in the guard and allow the logout
+        // other devices functionality to work.
+        $this->sessionGuard->setUser($user);

        $this->sessionGuard->logoutOtherDevices($request->input('password'));

--- a/app/Http/Requests/Api/Client/Account/UpdateEmailRequest.php
+++ b/app/Http/Requests/Api/Client/Account/UpdateEmailRequest.php
@ -3,6 +3,8 @@
 namespace Pterodactyl\Http\Requests\Api\Client\Account;

 use Pterodactyl\Models\User;
+use Illuminate\Container\Container;
+use Illuminate\Contracts\Hashing\Hasher;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 use Pterodactyl\Exceptions\Http\Base\InvalidPasswordProvidedException;

@ -17,8 +19,10 @@ class UpdateEmailRequest extends ClientApiRequest
            return false;
        }

+        $hasher = Container::getInstance()->make(Hasher::class);
+
        // Verify password matches when changing password or email.
-        if (!password_verify($this->input('password'), $this->user()->password)) {
+        if (!$hasher->check($this->input('password'), $this->user()->password)) {
            throw new InvalidPasswordProvidedException(trans('validation.internal.invalid_password'));
        }

--- a/app/Http/Requests/Api/Client/Account/UpdatePasswordRequest.php
+++ b/app/Http/Requests/Api/Client/Account/UpdatePasswordRequest.php
@ -2,6 +2,8 @@

 namespace Pterodactyl\Http\Requests\Api\Client\Account;

+use Illuminate\Container\Container;
+use Illuminate\Contracts\Hashing\Hasher;
 use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
 use Pterodactyl\Exceptions\Http\Base\InvalidPasswordProvidedException;

@ -16,8 +18,10 @@ class UpdatePasswordRequest extends ClientApiRequest
            return false;
        }

+        $hasher = Container::getInstance()->make(Hasher::class);
+
        // Verify password matches when changing password or email.
-        if (!password_verify($this->input('current_password'), $this->user()->password)) {
+        if (!$hasher->check($this->input('current_password'), $this->user()->password)) {
            throw new InvalidPasswordProvidedException(trans('validation.internal.invalid_password'));
        }

--- a/app/Services/Users/UserUpdateService.php
+++ b/app/Services/Users/UserUpdateService.php
@ -5,7 +5,6 @@ namespace Pterodactyl\Services\Users;
 use Pterodactyl\Models\User;
 use Illuminate\Contracts\Hashing\Hasher;
 use Pterodactyl\Traits\Services\HasUserLevels;
-use Pterodactyl\Repositories\Eloquent\UserRepository;

 class UserUpdateService
 {
@ -16,29 +15,20 @@ class UserUpdateService
     */
    private $hasher;

-    /**
-     * @var \Pterodactyl\Repositories\Eloquent\UserRepository
-     */
-    private $repository;
-
    /**
     * UpdateService constructor.
     */
-    public function __construct(Hasher $hasher, UserRepository $repository)
+    public function __construct(Hasher $hasher)
    {
        $this->hasher = $hasher;
-        $this->repository = $repository;
    }

    /**
-     * Update the user model instance.
+     * Update the user model instance and return the updated model.
     *
-     * @return \Pterodactyl\Models\User
-     *
-     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
-     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     * @throws \Throwable
     */
-    public function handle(User $user, array $data)
+    public function handle(User $user, array $data): User
    {
        if (!empty(array_get($data, 'password'))) {
            $data['password'] = $this->hasher->make($data['password']);
@ -46,9 +36,8 @@ class UserUpdateService
            unset($data['password']);
        }

-        /** @var \Pterodactyl\Models\User $response */
-        $response = $this->repository->update($user->id, $data);
+        $user->forceFill($data)->saveOrFail();

-        return $response;
+        return $user->refresh();
    }
 }