Add method to refresh session auth hash upon changing a user's password

ellmetha · ellmetha · commit 76f3c74a9733 · 2023-07-08T21:52:51.000-04:00
diff --git a/spec/marten_auth_spec.cr b/spec/marten_auth_spec.cr
@@ -201,6 +201,27 @@ describe MartenAuth do
     end
   end
 
+  describe "::update_session_auth_hash" do
+    it "updates the user session auth hash as expected" do
+      user = create_user(email: "test@example.com", password: "insecure")
+
+      session_store = Marten::HTTP::Session::Store::Cookie.new("sessionkey")
+      session_store["_auth_user_hash"] = "oldvalue"
+
+      request = Marten::HTTP::Request.new(
+        method: "GET",
+        resource: "/test/xyz",
+        headers: HTTP::Headers{"Host" => "example.com"},
+      )
+      request.session = session_store
+      request.user = user
+
+      MartenAuth.update_session_auth_hash(request, user)
+
+      session_store["_auth_user_hash"].should eq user.session_auth_hash
+    end
+  end
+
   describe "::valid_password_reset_token?" do
     it "returns true for a valid password reset token" do
       user = create_user(email: "test@example.com", password: "insecure")
diff --git a/src/marten_auth.cr b/src/marten_auth.cr
@@ -71,6 +71,19 @@ module MartenAuth
     request.user = nil
   end
 
+  # Refreshes the session auth hash for the current session.
+  #
+  # Calling this method may be necessary after changing a user's password, otherwise this user would be logged out of
+  # all their sessions. This method ensures that the session auth hash of the user for the current session is refreshed
+  # so that this user does not end up being logged out.
+  def self.update_session_auth_hash(request : Marten::HTTP::Request, user : BaseUser) : Nil
+    request.session.cycle_key
+
+    if request.session[USER_HASH_SESSION_KEY]? && request.user == user
+      request.session[USER_HASH_SESSION_KEY] = user.session_auth_hash
+    end
+  end
+
   # Returns a boolean indicating if the passed password reset token is valid for the considered `user`.
   def self.valid_password_reset_token?(user : BaseUser, token : String) : Bool
     decrypted = Hash(String, String).from_json(password_reset_token_encryptor.decrypt!(token))
@@ -84,7 +97,7 @@ module MartenAuth
   end
 
   # Returns a boolean indicating if the authentication hash in the session corresponds to the passed `user`'s one.
-  def self.valid_session_hash?(request, user)
+  def self.valid_session_hash?(request : Marten::HTTP::Request, user : BaseUser)
     Crypto::Subtle.constant_time_compare(
       request.session[USER_HASH_SESSION_KEY]? || "",
       user.session_auth_hash
