fix(security): revoke tokens and invalidate sessions on password change

app/Http/Controllers/Api/UserApiController.php

@@ -13,6 +13,7 @@
  **/
 
 use App\Http\Controllers\APICRUDController;
+use App\Jobs\RevokeUserGrantsOnSessionRevocation;
 use App\Http\Controllers\Traits\RequestProcessor;
 use App\Http\Controllers\UserValidationRulesFactory;
 use App\ModelSerializers\SerializerRegistry;
@@ -244,7 +245,23 @@ public function updateMe()
         if (!Auth::check())
             return $this->error403();
 
-        return $this->update(Auth::user()->getId());
+        $password_changed = request()->filled('password');
+        $response = $this->update(Auth::user()->getId());
+        if ($password_changed) {
+            request()->session()->regenerate();
+        }
+        return $response;
+    }
+
+    public function revokeAllMyTokens()
+    {
+        if (!Auth::check())
+            return $this->error403();
+
+        $user = Auth::user();
+        RevokeUserGrantsOnSessionRevocation::dispatch($user)->afterResponse();
+        $user->setRememberToken(\Illuminate\Support\Str::random(60));
+        return $this->deleted();
     }
 
     public function updateMyPic(){

app/Http/Controllers/UserController.php

@@ -13,6 +13,7 @@
  **/
 
 use App\Http\Controllers\OpenId\DiscoveryController;
+use App\Jobs\RevokeUserGrantsOnExplicitLogout;
 use App\Http\Controllers\OpenId\OpenIdController;
 use App\Http\Controllers\Traits\JsonResponses;
 use App\Http\Utils\CountryList;
@@ -673,7 +674,7 @@ public function getIdentity($identifier)
     public function logout()
     {
         $user = $this->auth_service->getCurrentUser();
-        //RevokeUserGrantsOnExplicitLogout::dispatch($user)->afterResponse();
+        // RevokeUserGrantsOnExplicitLogout::dispatch($user)->afterResponse();
         $this->auth_service->logout();
         Session::flush();
         Session::regenerate();

app/Jobs/RevokeUserGrants.php

@@ -0,0 +1,114 @@
+<?php namespace App\Jobs;
+/*
+ * Copyright 2024 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Auth\User;
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Foundation\Bus\Dispatchable;
+use Illuminate\Queue\InteractsWithQueue;
+use Illuminate\Queue\SerializesModels;
+use Illuminate\Support\Facades\Log;
+use OAuth2\Services\ITokenService;
+use Utils\IPHelper;
+
+/**
+ * Class RevokeUserGrants
+ * @package App\Jobs
+ */
+abstract class RevokeUserGrants implements ShouldQueue
+{
+    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
+
+    public $tries = 5;
+
+    public $timeout = 0;
+
+    /**
+     * @var int
+     */
+    private int $user_id;
+
+    /**
+     * @var string|null
+     */
+    private ?string $client_id;
+
+    /**
+     * @var string
+     */
+    private string $reason;
+
+    /**
+     * @param User $user
+     * @param string|null $client_id  null = revoke across all clients
+     * @param string $reason          audit message suffix
+     */
+    public function __construct(User $user, ?string $client_id, string $reason)
+    {
+        $this->user_id   = $user->getId();
+        $this->client_id = $client_id;
+        $this->reason    = $reason;
+        Log::debug(sprintf(
+            "RevokeUserGrants::constructor user %s client_id %s reason %s",
+            $this->user_id,
+            $client_id ?? 'N/A',
+            $reason
+        ));
+    }
+
+    public function handle(ITokenService $service): void
+    {
+        Log::debug("RevokeUserGrants::handle");
+
+        try {
+            $scope = !empty($this->client_id)
+                ? sprintf("client %s", $this->client_id)
+                : "all clients";
+
+            $action = sprintf(
+                "Revoking all grants for user %s on %s due to %s.",
+                $this->user_id,
+                $scope,
+                $this->reason
+            );
+
+            AddUserAction::dispatch($this->user_id, IPHelper::getUserIp(), $action);
+
+            // Emit to OTEL audit log (Elasticsearch) if enabled
+            if (config('opentelemetry.enabled', false)) {
+                EmitAuditLogJob::dispatch('audit.security.tokens_revoked', [
+                    'audit.action'      => 'revoke_tokens',
+                    'audit.entity'      => 'User',
+                    'audit.entity_id'   => (string) $this->user_id,
+                    'audit.timestamp'   => now()->toISOString(),
+                    'audit.description' => $action,
+                    'audit.reason'      => $this->reason,
+                    'audit.scope'       => $scope,
+                    'auth.user.id'      => $this->user_id,
+                    'client.ip'         => IPHelper::getUserIp(),
+                    'elasticsearch.index' => config('opentelemetry.logs.elasticsearch_index', 'logs-audit'),
+                ]);
+            }
+
+            $service->revokeUsersToken($this->user_id, $this->client_id);
+        } catch (\Exception $ex) {
+            Log::error($ex);
+        }
+    }
+
+    public function failed(\Throwable $exception): void
+    {
+        Log::error(sprintf("RevokeUserGrants::failed %s", $exception->getMessage()));
+    }
+}

app/Jobs/RevokeUserGrantsOnExplicitLogout.php

@@ -13,71 +13,16 @@
  **/
 
 use Auth\User;
-use Illuminate\Bus\Queueable;
-use Illuminate\Contracts\Queue\ShouldQueue;
-use Illuminate\Foundation\Bus\Dispatchable;
-use Illuminate\Queue\InteractsWithQueue;
-use Illuminate\Queue\SerializesModels;
-use Illuminate\Support\Facades\Log;
-use OAuth2\Services\ITokenService;
-use Utils\IPHelper;
 
 /**
- * Class RevokeUserGrants
+ * Class RevokeUserGrantsOnExplicitLogout
+ * Revokes all OAuth2 grants for a user when they explicitly log out.
  * @package App\Jobs
  */
-class RevokeUserGrantsOnExplicitLogout implements ShouldQueue
+class RevokeUserGrantsOnExplicitLogout extends RevokeUserGrants
 {
-    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
-
-    public $tries = 5;
-
-    public $timeout = 0;
-
-    /**
-     * @var int
-     */
-    private $user_id;
-
-    /**
-     * @var string
-     */
-    private $client_id;
-
-
-    /**
-     * @param User $user
-     * @param string|null $client_id
-     */
-    public function __construct(User $user, ?string $client_id = null){
-        $this->user_id = $user->getId();
-        $this->client_id = $client_id;
-        Log::debug(sprintf("RevokeUserGrants::constructor user %s client id %s", $this->user_id, !empty($client_id)? $client_id :"N/A"));
-    }
-
-    public function handle(ITokenService $service){
-        Log::debug(sprintf("RevokeUserGrants::handle"));
-
-        if(empty($this->client_id)) {
-            return;
-        }
-        try{
-            $action = sprintf
-            (
-              "Revoking all grants for user %s on %s due explicit Log out.",
-                $this->user_id,  sprintf("Client %s", $this->client_id)
-            );
-
-            AddUserAction::dispatch($this->user_id, IPHelper::getUserIp(), $action);
-            $service->revokeUsersToken($this->user_id, $this->client_id);
-        }
-        catch (\Exception $ex) {
-            Log::error($ex);
-        }
-    }
-
-    public function failed(\Throwable $exception)
+    public function __construct(User $user, ?string $client_id = null)
     {
-        Log::error(sprintf( "RevokeUserGrants::failed %s", $exception->getMessage()));
+        parent::__construct($user, $client_id, 'explicit logout');
     }
-}
+}

app/Jobs/RevokeUserGrantsOnPasswordChange.php

@@ -0,0 +1,28 @@
+<?php namespace App\Jobs;
+/*
+ * Copyright 2024 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Auth\User;
+
+/**
+ * Class RevokeUserGrantsOnPasswordChange
+ * Revokes all OAuth2 grants for a user across all clients after a password change.
+ * @package App\Jobs
+ */
+class RevokeUserGrantsOnPasswordChange extends RevokeUserGrants
+{
+    public function __construct(User $user)
+    {
+        parent::__construct($user, null, 'password change');
+    }
+}

app/Jobs/RevokeUserGrantsOnSessionRevocation.php

@@ -0,0 +1,28 @@
+<?php namespace App\Jobs;
+/*
+ * Copyright 2024 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Auth\User;
+
+/**
+ * Class RevokeUserGrantsOnSessionRevocation
+ * Revokes all OAuth2 grants for a user when they explicitly sign out all other devices.
+ * @package App\Jobs
+ */
+class RevokeUserGrantsOnSessionRevocation extends RevokeUserGrants
+{
+    public function __construct(User $user)
+    {
+        parent::__construct($user, null, 'user-initiated session revocation');
+    }
+}

app/Providers/EventServiceProvider.php

@@ -19,6 +19,7 @@
 use App\Events\UserLocked;
 use App\Events\UserPasswordResetRequestCreated;
 use App\Events\UserPasswordResetSuccessful;
+use App\Jobs\RevokeUserGrantsOnPasswordChange;
 use App\Events\UserSpamStateUpdated;
 use App\Audit\AuditContext;
 use App\libs\Auth\Repositories\IUserPasswordResetRequestRepository;
@@ -57,7 +58,7 @@ final class EventServiceProvider extends ServiceProvider
         'Illuminate\Database\Events\QueryExecuted' => [
         ],
         'Illuminate\Auth\Events\Logout' => [
-            //'App\Listeners\OnUserLogout',
+            'App\Listeners\OnUserLogout',
         ],
         'Illuminate\Auth\Events\Login' => [
             'App\Listeners\OnUserLogin',
@@ -169,6 +170,8 @@ public function boot()
             if(is_null($user)) return;
             if(!$user instanceof User) return;
             Mail::queue(new UserPasswordResetMail($user));
+            // Revoke all OAuth2 tokens for this user across all clients
+            RevokeUserGrantsOnPasswordChange::dispatch($user)->afterResponse();
         });
 
         Event::listen(OAuth2ClientLocked::class, function($event){

app/libs/Auth/Models/User.php

@@ -1578,6 +1578,8 @@ public function setPassword(string $password): void
         $this->password_salt = AuthHelper::generateSalt(self::SaltLen, $this->password_enc);
         $this->password = AuthHelper::encrypt_password($password, $this->password_salt, $this->password_enc);
 
+        $this->setRememberToken(\Illuminate\Support\Str::random(60));
+
         $action = 'User set new password.';
         $current_user = Auth::user();
         if($current_user instanceof User) {

resources/js/profile/actions.js

@@ -83,6 +83,10 @@ export const revokeToken = async (value, hint) => {
     )({'X-CSRF-TOKEN': window.CSFR_TOKEN});
 }
 
+export const revokeAllTokens = async () => {
+    return deleteRawRequest(window.REVOKE_ALL_TOKENS_ENDPOINT)({'X-CSRF-TOKEN': window.CSFR_TOKEN});
+}
+
 const normalizeEntity = (entity) => {
     entity.public_profile_show_photo = entity.public_profile_show_photo ? 1 : 0;
     entity.public_profile_show_fullname = entity.public_profile_show_fullname ? 1 : 0;