From 4a103eddfa503354356704dcd2163e3cfc1a1f16 Mon Sep 17 00:00:00 2001 From: Ahmed Magdy Date: Mon, 30 Mar 2020 13:19:16 +0200 Subject: [PATCH] Validate that token is valid for patch request last token (#1386) --- app/models/devise_token_auth/concerns/user.rb | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/app/models/devise_token_auth/concerns/user.rb b/app/models/devise_token_auth/concerns/user.rb index 4a6cad7c1..1a87524b3 100644 --- a/app/models/devise_token_auth/concerns/user.rb +++ b/app/models/devise_token_auth/concerns/user.rb @@ -137,17 +137,17 @@ def token_is_current?(token, client) def token_can_be_reused?(token, client) # ghetto HashWithIndifferentAccess updated_at = tokens[client]['updated_at'] || tokens[client][:updated_at] - last_token = tokens[client]['last_token'] || tokens[client][:last_token] + last_token_hash = tokens[client]['last_token'] || tokens[client][:last_token] return true if ( # ensure that the last token and its creation time exist - updated_at && last_token && + updated_at && last_token_hash && # ensure that previous token falls within the batch buffer throttle time of the last request updated_at.to_time > Time.zone.now - DeviseTokenAuth.batch_request_buffer_throttle && # ensure that the token is valid - DeviseTokenAuth::TokenFactory.valid_token_hash?(last_token) + DeviseTokenAuth::TokenFactory.token_hash_is_token?(last_token_hash, token) ) end