Skip to content

fix(ras): destroy sessions on account verification #3328

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
miguelpeixe merged 1 commit into from
Aug 12, 2024
Merged

fix(ras): destroy sessions on account verification #3328

miguelpeixe merged 1 commit into from
Aug 12, 2024

Conversation

@miguelpeixe
Copy link
Member

@miguelpeixe miguelpeixe commented Aug 9, 2024

All Submissions:

Changes proposed in this Pull Request:

p1722617670146119-slack-C015W6BES8J

Replaces the strategy implemented in #1787.

Upon verification, we want to destroy existing sessions to prevent a bad actor having originated the account creation from accessing the, now verified, account. If the verification is for the current user, we destroy other sessions.

How to test the changes in this Pull Request:

  1. Check out this branch and register as a reader in a fresh session.
  2. Keep that session open and in another session (you can use a different browser), go through the same process
  3. Use the OTP or authentication link you've received in the new session
  4. Confirm you are logged in and verified
  5. Refresh the page in the previous session and confirm you've been logged out
  6. In a new session, register another reader account
  7. Grab the new reader user ID and in wp shell, enter \Newspack\Reader_Activation::set_reader_verified( $user_id );
  8. Refresh the page on the new reader account and confirm you've been logged out

Other information:

  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes, as applicable?
  • Have you successfully ran tests with your changes locally?

@miguelpeixe miguelpeixe added the [Status] Needs Review The issue or pull request needs to be reviewed label Aug 9, 2024
@miguelpeixe miguelpeixe self-assigned this Aug 9, 2024
@miguelpeixe miguelpeixe requested a review from a team as a code owner August 9, 2024 14:41
@github-actions github-actions bot added [Status] Approved The pull request has been reviewed and is ready to merge and removed [Status] Needs Review The issue or pull request needs to be reviewed labels Aug 12, 2024
@miguelpeixe miguelpeixe merged commit ab6efeb into trunk Aug 12, 2024
@miguelpeixe miguelpeixe deleted the fix/ras-destroy-other-session-on-verification branch August 12, 2024 13:50
matticbot pushed a commit that referenced this pull request Aug 15, 2024
@semantic-release-bot
chore(release): 5.1.0-alpha.1 [skip ci]
0ec3bf2 
# [5.1.0-alpha.1](v5.0.1...v5.1.0-alpha.1) (2024-08-15)

### Bug Fixes

* **data-events:** gate interaction for registration form ([#3327](#3327)) ([eb06194](eb06194))
* **ras:** destroy sessions on account verification ([#3328](#3328)) ([ab6efeb](ab6efeb))

### Features

* add phpcs sniff for newsletter methods ([#3337](#3337)) ([15f237c](15f237c))
* add woo team sync metadata (WIP) ([#3325](#3325)) ([e5cc5e3](e5cc5e3))
@matticbot
Copy link
Contributor

matticbot commented Aug 15, 2024

🎉 This PR is included in version 5.1.0-alpha.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@matticbot
Copy link
Contributor

matticbot commented Aug 16, 2024

🎉 This PR is included in version 5.3.0-alpha.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

@matticbot
Copy link
Contributor

matticbot commented Aug 20, 2024

🎉 This PR is included in version 5.3.0-hotfix-memberships-prop-exists.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

matticbot pushed a commit that referenced this pull request Aug 26, 2024
@semantic-release-bot
chore(release): 5.3.0 [skip ci]
ef78b93 
# [5.3.0](v5.2.1...v5.3.0) (2024-08-26)

### Bug Fixes

* **data-events:** gate interaction for registration form ([#3327](#3327)) ([eb06194](eb06194))
* **ras:** destroy sessions on account verification ([#3328](#3328)) ([ab6efeb](ab6efeb))

### Features

* add phpcs sniff for newsletter methods ([#3337](#3337)) ([15f237c](15f237c))
* add woo team sync metadata (WIP) ([#3325](#3325)) ([e5cc5e3](e5cc5e3))
@matticbot
Copy link
Contributor

matticbot commented Aug 26, 2024

🎉 This PR is included in version 5.3.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@leogermani leogermani leogermani approved these changes

Assignees

@miguelpeixe miguelpeixe

Labels

released on @alpha released on @hotfix/memberships-prop-exists released [Status] Approved The pull request has been reviewed and is ready to merge

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@miguelpeixe @matticbot @leogermani