github/directus
1
0
Fork 0
mirror of https://github.com/directus/directus.git synced 2026-01-25 21:18:31 -05:00
Code Issues Packages Projects Releases Wiki Activity

Block refresh token of suspended users (#17927)

Browse Source 
* Block refresh token of suspended users

* Add diegoleme as contributor

---------

Co-authored-by: Rijk van Zanten <rijkvanzanten@me.com>
This commit is contained in:
Diego Leme
2023-04-11 10:22:00 -03:00
committed by GitHub
parent 166ba2f8c1
commit aaa0397c3a
2 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
api/src/services/authentication.ts
View File

@@ -255,6 +255,8 @@ export class AuthenticationService {
async refresh(refreshToken: string): Promise<Record<string, any>> {
const { nanoid } = await import('nanoid');
const STALL_TIME = env['LOGIN_STALL_TIME'];
const timeStart = performance.now();
if (!refreshToken) {
throw new InvalidCredentialsException();
@@ -304,6 +306,18 @@ export class AuthenticationService {
throw new InvalidCredentialsException();
}
if (record.user_id && record.user_status !== 'active') {
await this.knex('directus_sessions').where({ token: refreshToken }).del();
if (record.user_status === 'suspended') {
await stall(STALL_TIME, timeStart);
throw new UserSuspendedException();
} else {
await stall(STALL_TIME, timeStart);
throw new InvalidCredentialsException();
}
}
if (record.user_id) {
const provider = getAuthProvider(record.user_provider);

1
contributors.yml
View File

@@ -7,6 +7,7 @@
- bicouy0
- Nitwel
- azrikahar
- diegoleme
- u12206050
- that1matt
- jaads