Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: hook to revoke sessions after password changed #3514

Merged
merged 1 commit into from
Sep 19, 2023
Merged

feat: hook to revoke sessions after password changed #3514

merged 1 commit into from
Sep 19, 2023

Conversation

dreksx
Copy link
Contributor

@dreksx dreksx commented Sep 15, 2023
edited
Loading

Currently, the Kratos system does not automatically log out or invalidate other active sessions when a user changes their password. This poses a significant security risk as it allows potentially unauthorized individuals to maintain access to the account even after the password has been updated.
This PR provides the option to add the revoke_active_sessions hook to the actions sections of the selfservice settings.

Related issue(s)

#3513

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got the approval (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

@codecov
Copy link

codecov bot commented Sep 15, 2023

Codecov Report

Merging #3514 (55c9859) into master (44aa74f) will increase coverage by 0.01%.
Report is 1 commits behind head on master.
The diff coverage is 54.54%.

❗ Current head 55c9859 differs from pull request most recent head b3082b9. Consider uploading reports for the commit b3082b9 to get more accurate results

@@            Coverage Diff             @@
##           master    #3514      +/-   ##
==========================================
+ Coverage   78.35%   78.36%   +0.01%     
==========================================
  Files         340      340              
  Lines       22518    22523       +5     
==========================================
+ Hits        17644    17651       +7     
+ Misses       3565     3563       -2     
  Partials     1309     1309
Files Changed Coverage Δ
selfservice/flow/settings/hook.go 60.00% <0.00%> (ø)
selfservice/hook/session_destroyer.go 64.70% <60.00%> (-1.97%) ⬇️
selfservice/hook/error.go 100.00% <100.00%> (ø)
selfservice/hook/verification.go 78.72% <100.00%> (ø)
selfservice/hook/web_hook.go 79.65% <100.00%> (ø)

... and 1 file with indirect coverage changes

aeneasr
aeneasr approved these changes Sep 18, 2023
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Brilliant!

@aeneasr
Copy link
Member

aeneasr commented Sep 18, 2023

Could you please also add some docs for this? Maybe as a new page in the Managing sessions section?

This was referenced Sep 18, 2023
Closed
Merged
@aeneasr aeneasr merged commit e6af6db into ory:master Sep 19, 2023
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr approved these changes

@zepatrik zepatrik Awaiting requested review from zepatrik zepatrik is a code owner

@hperl hperl Awaiting requested review from hperl hperl is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dreksx @aeneasr