feat(user):logout after change password EE-1590 (#6267)

* fix(user) logout after password change
2025-08-02 20:35:25 +02:00 · 2022-01-21 08:33:43 +08:00 · 2022-01-21 08:33:43 +08:00 · 661f0aad49
commit 661f0aad49
parent 58de8e175f
8 changed files with 53 additions and 11 deletions
--- a/api/http/handler/users/user_update.go
+++ b/api/http/handler/users/user_update.go
@ -3,6 +3,7 @@ package users
 import (
 	"errors"
 	"net/http"
+	"time"

 	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
@ -99,6 +100,7 @@ func (handler *Handler) userUpdate(w http.ResponseWriter, r *http.Request) *http
 		if err != nil {
 			return &httperror.HandlerError{http.StatusInternalServerError, "Unable to hash user password", errCryptoHashFailure}
 		}
+		user.TokenIssueAt = time.Now().Unix()
 	}

 	if payload.Role != 0 {
@ -116,6 +118,5 @@ func (handler *Handler) userUpdate(w http.ResponseWriter, r *http.Request) *http

 	// remove all of the users persisted API keys
 	handler.apiKeyService.InvalidateUserKeyCache(user.ID)
-
 	return response.JSON(w, user)
 }
--- a/api/http/handler/users/user_update_password.go
+++ b/api/http/handler/users/user_update_password.go
@ -3,6 +3,7 @@ package users
 import (
 	"errors"
 	"net/http"
+	"time"

 	"github.com/asaskevich/govalidator"
 	httperror "github.com/portainer/libhttp/error"
@ -85,6 +86,8 @@ func (handler *Handler) userUpdatePassword(w http.ResponseWriter, r *http.Reques
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to hash user password", errCryptoHashFailure}
 	}

+	user.TokenIssueAt = time.Now().Unix()
+
 	err = handler.DataStore.User().UpdateUser(user.ID, user)
 	if err != nil {
 		return &httperror.HandlerError{http.StatusInternalServerError, "Unable to persist user changes inside the database", err}
--- a/api/jwt/jwt.go
+++ b/api/jwt/jwt.go
@ -121,6 +121,14 @@ func (service *Service) ParseAndVerifyToken(token string) (*portainer.TokenData,

 	if err == nil && parsedToken != nil {
 		if cl, ok := parsedToken.Claims.(*claims); ok && parsedToken.Valid {
+
+			user, err := service.dataStore.User().User(portainer.UserID(cl.UserID))
+			if err != nil {
+				return nil, errInvalidJWTToken
+			}
+			if user.TokenIssueAt > cl.StandardClaims.IssuedAt {
+				return nil, errInvalidJWTToken
+			}
 			return &portainer.TokenData{
 				ID:       portainer.UserID(cl.UserID),
 				Username: cl.Username,
@ -162,6 +170,7 @@ func (service *Service) generateSignedToken(data *portainer.TokenData, expiresAt
 		Scope:    scope,
 		StandardClaims: jwt.StandardClaims{
 			ExpiresAt: expiresAt,
+			IssuedAt:  time.Now().Unix(),
 		},
 	}

--- a/api/portainer.go
+++ b/api/portainer.go
@ -1103,7 +1103,8 @@ type (
 		// User Theme
 		UserTheme string `example:"dark"`
 		// User role (1 for administrator account and 2 for regular account)
-		Role UserRole `json:"Role" example:"1"`
+		Role         UserRole `json:"Role" example:"1"`
+		TokenIssueAt int64    `json:"TokenIssueAt" example:"1"`

 		// Deprecated fields
 		// Deprecated in DBVersion == 25