[yggdrasil-connect] revoke tokens issued to PA client after user password changes

Author: tnqzh123

plugins/yggdrasil-connect/bootstrap.php

@@ -15,12 +15,14 @@
 use LittleSkin\YggdrasilConnect\Console\FixUUIDTable;
 use LittleSkin\YggdrasilConnect\Models\AccessToken;
 use LittleSkin\YggdrasilConnect\Models\UUID;
+use LittleSkin\YggdrasilConnect\Observers\UserObserver;
 use LittleSkin\YggdrasilConnect\Scope;
 
 require __DIR__.'/src/Utils/helpers.php';
 
 return function (Dispatcher $events, Filter $filter, Request $request) {
     Passport::personalAccessTokensExpireIn(now()->addSeconds(intval(Option::get('ygg_token_expire_1'))));
+    User::observe(UserObserver::class);
 
     if (env('YGG_VERBOSE_LOG')) {
         config(['logging.channels.ygg' => [

plugins/yggdrasil-connect/package.json

@@ -1,6 +1,6 @@
 {
   "name": "yggdrasil-connect",
-  "version": "6.1.1",
+  "version": "6.1.2",
   "title": "Yggdrasil Connect",
   "description": "LittleSkin\\YggdrasilConnect::config.plugin-description",
   "author": "LittleSkin",

plugins/yggdrasil-connect/src/Observers/UserObserver.php

@@ -0,0 +1,23 @@
+<?php
+
+namespace LittleSkin\YggdrasilConnect\Observers;
+
+use App\Models\User;
+use App\Services\Facades\Option;
+use Laravel\Passport\Token;
+
+class UserObserver {
+    public function updated(User $user) {
+        // Invalidate tokens when the user's password is changed
+        if($user->isDirty('password')) {
+            Token::where([
+                ['user_id', '=', $user->uid],
+                ['client_id', '=', intval(env('PASSPORT_PERSONAL_ACCESS_CLIENT_ID'))],
+                ['revoked', '=', false],
+                ['created_at', '>', now()->subSeconds(Option::get('ygg_token_expire_2'))],
+            ])->get()->each(function (Token $token) {
+                $token->revoke();
+            });
+        }
+    }
+}