Merge commit from fork

* Ensure tootctl revokes sessions, access tokens and web push subscriptions * Fix test coverage
2025-12-13 15:58:50 +00:00 · 2025-10-13 14:20:23 +02:00
parent 8d09e4ef23
commit 24dcb18013
3 changed files with 25 additions and 8 deletions
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -361,17 +361,22 @@ class User < ApplicationRecord
  end

  def reset_password!
+    # First, change password to something random, this revokes sessions and on-going access:
+    change_password!(SecureRandom.hex)
+
+    # Finally, send a reset password prompt to the user
+    send_reset_password_instructions
+  end
+
+  def change_password!(new_password)
    # First, change password to something random and deactivate all sessions
    transaction do
-      update(password: SecureRandom.hex)
+      update(password: new_password)
      session_activations.destroy_all
    end

    # Then, remove all authorized applications and connected push subscriptions
    revoke_access!
-
-    # Finally, send a reset password prompt to the user
-    send_reset_password_instructions
  end

  protected