ProjectHentai/alist
6
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: invalidate old token after changing the password (close #5515)

Browse Source
This commit is contained in:
Andy Hsu
2023-11-13 15:22:42 +08:00
parent a7421d8fc2
commit 3d51845f57
6 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
server/middlewares/auth.go
View File

@ -57,6 +57,12 @@ func Auth(c *gin.Context) {
c.Abort()
return
}
// validate password timestamp
if userClaims.PwdTS != user.PwdTS {
common.ErrorStrResp(c, "Password has been changed, login please", 401)
c.Abort()
return
}
if user.Disabled {
common.ErrorStrResp(c, "Current user is disabled, replace please", 401)
c.Abort()
@ -105,6 +111,12 @@ func Authn(c *gin.Context) {
c.Abort()
return
}
// validate password timestamp
if userClaims.PwdTS != user.PwdTS {
common.ErrorStrResp(c, "Password has been changed, login please", 401)
c.Abort()
return
}
if user.Disabled {
common.ErrorStrResp(c, "Current user is disabled, replace please", 401)
c.Abort()