diff --git a/services/web/app/coffee/Features/User/UserController.coffee b/services/web/app/coffee/Features/User/UserController.coffee index 60468eef94..389de1a0f2 100644 --- a/services/web/app/coffee/Features/User/UserController.coffee +++ b/services/web/app/coffee/Features/User/UserController.coffee @@ -108,6 +108,14 @@ module.exports = UserController = setNewPasswordUrl: setNewPasswordUrl } + clearSessions: (req, res, next = (error) ->) -> + metrics.inc "user.clear-sessions" + user = AuthenticationController.getSessionUser(req) + logger.log {user_id: user._id}, "clearing sessions for user" + UserSessionsManager.revokeAllUserSessions user, [req.sessionID], (err) -> + return next(err) if err? + res.sendStatus 201 + changePassword : (req, res, next = (error) ->)-> metrics.inc "user.password-change" oldPass = req.body.currentPassword diff --git a/services/web/app/coffee/Features/User/UserPagesController.coffee b/services/web/app/coffee/Features/User/UserPagesController.coffee index c4bbb3de0a..76d88803a7 100644 --- a/services/web/app/coffee/Features/User/UserPagesController.coffee +++ b/services/web/app/coffee/Features/User/UserPagesController.coffee @@ -1,5 +1,6 @@ UserLocator = require("./UserLocator") UserGetter = require("./UserGetter") +UserSessionsManager = require("./UserSessionsManager") ErrorController = require("../Errors/ErrorController") logger = require("logger-sharelatex") Settings = require("settings-sharelatex") @@ -63,3 +64,14 @@ module.exports = user: user, languages: Settings.languages, accountSettingsTabActive: true + + sessionsPage: (req, res, next) -> + user = AuthenticationController.getSessionUser(req) + logger.log user_id: user._id, "loading sessions page" + UserSessionsManager.getAllUserSessions user, [req.sessionID], (err, sessions) -> + if err? + logger.err {user_id: user._id}, "error getting all user sessions" + return next(err) + res.render 'user/sessions', + title: "sessions" + sessions: sessions diff --git a/services/web/app/coffee/Features/User/UserSessionsManager.coffee b/services/web/app/coffee/Features/User/UserSessionsManager.coffee index 95974ec59a..23a9bcbb36 100644 --- a/services/web/app/coffee/Features/User/UserSessionsManager.coffee +++ b/services/web/app/coffee/Features/User/UserSessionsManager.coffee @@ -55,11 +55,40 @@ module.exports = UserSessionsManager = UserSessionsManager._checkSessions(user, () ->) callback() + getAllUserSessions: (user, exclude, callback=(err, sessionKeys)->) -> + exclude = _.map(exclude, UserSessionsManager._sessionKey) + sessionSetKey = UserSessionsManager._sessionSetKey(user) + rclient.smembers sessionSetKey, (err, sessionKeys) -> + if err? + logger.err user_id: user._id, "error getting all session keys for user from redis" + return callback(err) + sessionKeys = _.filter sessionKeys, (k) -> !(_.contains(exclude, k)) + if sessionKeys.length == 0 + logger.log {user_id: user._id}, "no other sessions found, returning" + return callback(null, []) + rclient.mget sessionKeys, (err, sessions) -> + if err? + logger.err {user_id: user._id}, "error getting all sessions for user from redis" + return callback(err) + + result = [] + for session in sessions + if session is null + continue + session = JSON.parse(session) + session_user = session?.user or session?.passport?.user + result.push { + ip_address: session_user.ip_address, + session_created: session_user.session_created + } + + return callback(null, result) + revokeAllUserSessions: (user, retain, callback=(err)->) -> - if !retain + if !retain? retain = [] retain = retain.map((i) -> UserSessionsManager._sessionKey(i)) - if !user + if !user? logger.log {}, "no user to revoke sessions for, returning" return callback(null) logger.log {user_id: user._id}, "revoking all existing sessions for user" diff --git a/services/web/app/coffee/router.coffee b/services/web/app/coffee/router.coffee index 644a9ff13d..56dd8d821b 100644 --- a/services/web/app/coffee/router.coffee +++ b/services/web/app/coffee/router.coffee @@ -88,6 +88,9 @@ module.exports = class Router webRouter.post '/user/settings', AuthenticationController.requireLogin(), UserController.updateUserSettings webRouter.post '/user/password/update', AuthenticationController.requireLogin(), UserController.changePassword + webRouter.get '/user/sessions', AuthenticationController.requireLogin(), UserPagesController.sessionsPage + webRouter.post '/user/sessions/clear', AuthenticationController.requireLogin(), UserController.clearSessions + webRouter.delete '/user/newsletter/unsubscribe', AuthenticationController.requireLogin(), UserController.unsubscribe webRouter.delete '/user', AuthenticationController.requireLogin(), UserController.deleteUser diff --git a/services/web/app/views/user/sessions.jade b/services/web/app/views/user/sessions.jade new file mode 100644 index 0000000000..948ed2d94f --- /dev/null +++ b/services/web/app/views/user/sessions.jade @@ -0,0 +1,49 @@ +extends ../layout + + +block scripts + script(type='text/javascript'). + window.otherSessions = !{JSON.stringify(sessions)} + + +block content + .content.content-alt + .container + .row + .col-md-10.col-md-offset-1.col-lg-8.col-lg-offset-2 + .card.clear-user-sessions(ng-controller="ClearSessionsController", ng-cloak) + .page-header + h1 #{translate("your_sessions")} + + div + p.small + | #{translate("clear_sessions_description")} + + div + div(ng-if="state.otherSessions.length == 0") + p.text-center + | #{translate("no_other_sessions")} + + div(ng-if="state.success == true") + p.text-success.text-center + | #{translate('clear_sessions_success')} + + div(ng-if="state.otherSessions.length != 0") + table.table.table-striped + thead + tr + th #{translate("ip_address")} + th #{translate("session_created_at")} + tr(ng-repeat="session in state.otherSessions") + td {{session.ip_address}} + td {{session.session_created | formatDate}} + + p.actions + .text-center + button.btn.btn-lg.btn-primary( + ng-click="clearSessions()" + ) #{translate('clear_sessions')} + + div(ng-if="state.error == true") + p.text-danger.error + | #{translate('generic_something_went_wrong')} diff --git a/services/web/app/views/user/settings.jade b/services/web/app/views/user/settings.jade index 44028f1c54..2e17eb1888 100644 --- a/services/web/app/views/user/settings.jade +++ b/services/web/app/views/user/settings.jade @@ -114,6 +114,14 @@ block content a(id="beta-program-participate-link" href="/beta/participate") #{translate("manage_beta_program_membership")} hr + + h3 + | #{translate("sessions")} + + div + a(id="sessions-link", href="/user/sessions") #{translate("manage_sessions")} + + hr if !externalAuthenticationSystemUsed() diff --git a/services/web/public/coffee/ide/editor/directives/aceEditor/spell-check/SpellCheckManager.coffee b/services/web/public/coffee/ide/editor/directives/aceEditor/spell-check/SpellCheckManager.coffee index 95a6519d59..e84ce1d785 100644 --- a/services/web/public/coffee/ide/editor/directives/aceEditor/spell-check/SpellCheckManager.coffee +++ b/services/web/public/coffee/ide/editor/directives/aceEditor/spell-check/SpellCheckManager.coffee @@ -213,7 +213,9 @@ define [ positions = [] for line, row in lines if !linesToProcess? or linesToProcess[row] - wordRegex = /\\?['a-zA-Z\u00C0-\u017F]+/g + # Regex generated from /\\?['\p{L}]+/g via https://mothereff.in/regexpu. + # \p{L} matches unicode characters in the 'letter' category, but is not supported until ES6. + wordRegex = /\\?(?:['A-Za-z\xAA\xB5\xBA\xC0-\xD6\xD8-\xF6\xF8-\u02C1\u02C6-\u02D1\u02E0-\u02E4\u02EC\u02EE\u0370-\u0374\u0376\u0377\u037A-\u037D\u037F\u0386\u0388-\u038A\u038C\u038E-\u03A1\u03A3-\u03F5\u03F7-\u0481\u048A-\u052F\u0531-\u0556\u0559\u0561-\u0587\u05D0-\u05EA\u05F0-\u05F2\u0620-\u064A\u066E\u066F\u0671-\u06D3\u06D5\u06E5\u06E6\u06EE\u06EF\u06FA-\u06FC\u06FF\u0710\u0712-\u072F\u074D-\u07A5\u07B1\u07CA-\u07EA\u07F4\u07F5\u07FA\u0800-\u0815\u081A\u0824\u0828\u0840-\u0858\u08A0-\u08B4\u08B6-\u08BD\u0904-\u0939\u093D\u0950\u0958-\u0961\u0971-\u0980\u0985-\u098C\u098F\u0990\u0993-\u09A8\u09AA-\u09B0\u09B2\u09B6-\u09B9\u09BD\u09CE\u09DC\u09DD\u09DF-\u09E1\u09F0\u09F1\u0A05-\u0A0A\u0A0F\u0A10\u0A13-\u0A28\u0A2A-\u0A30\u0A32\u0A33\u0A35\u0A36\u0A38\u0A39\u0A59-\u0A5C\u0A5E\u0A72-\u0A74\u0A85-\u0A8D\u0A8F-\u0A91\u0A93-\u0AA8\u0AAA-\u0AB0\u0AB2\u0AB3\u0AB5-\u0AB9\u0ABD\u0AD0\u0AE0\u0AE1\u0AF9\u0B05-\u0B0C\u0B0F\u0B10\u0B13-\u0B28\u0B2A-\u0B30\u0B32\u0B33\u0B35-\u0B39\u0B3D\u0B5C\u0B5D\u0B5F-\u0B61\u0B71\u0B83\u0B85-\u0B8A\u0B8E-\u0B90\u0B92-\u0B95\u0B99\u0B9A\u0B9C\u0B9E\u0B9F\u0BA3\u0BA4\u0BA8-\u0BAA\u0BAE-\u0BB9\u0BD0\u0C05-\u0C0C\u0C0E-\u0C10\u0C12-\u0C28\u0C2A-\u0C39\u0C3D\u0C58-\u0C5A\u0C60\u0C61\u0C80\u0C85-\u0C8C\u0C8E-\u0C90\u0C92-\u0CA8\u0CAA-\u0CB3\u0CB5-\u0CB9\u0CBD\u0CDE\u0CE0\u0CE1\u0CF1\u0CF2\u0D05-\u0D0C\u0D0E-\u0D10\u0D12-\u0D3A\u0D3D\u0D4E\u0D54-\u0D56\u0D5F-\u0D61\u0D7A-\u0D7F\u0D85-\u0D96\u0D9A-\u0DB1\u0DB3-\u0DBB\u0DBD\u0DC0-\u0DC6\u0E01-\u0E30\u0E32\u0E33\u0E40-\u0E46\u0E81\u0E82\u0E84\u0E87\u0E88\u0E8A\u0E8D\u0E94-\u0E97\u0E99-\u0E9F\u0EA1-\u0EA3\u0EA5\u0EA7\u0EAA\u0EAB\u0EAD-\u0EB0\u0EB2\u0EB3\u0EBD\u0EC0-\u0EC4\u0EC6\u0EDC-\u0EDF\u0F00\u0F40-\u0F47\u0F49-\u0F6C\u0F88-\u0F8C\u1000-\u102A\u103F\u1050-\u1055\u105A-\u105D\u1061\u1065\u1066\u106E-\u1070\u1075-\u1081\u108E\u10A0-\u10C5\u10C7\u10CD\u10D0-\u10FA\u10FC-\u1248\u124A-\u124D\u1250-\u1256\u1258\u125A-\u125D\u1260-\u1288\u128A-\u128D\u1290-\u12B0\u12B2-\u12B5\u12B8-\u12BE\u12C0\u12C2-\u12C5\u12C8-\u12D6\u12D8-\u1310\u1312-\u1315\u1318-\u135A\u1380-\u138F\u13A0-\u13F5\u13F8-\u13FD\u1401-\u166C\u166F-\u167F\u1681-\u169A\u16A0-\u16EA\u16F1-\u16F8\u1700-\u170C\u170E-\u1711\u1720-\u1731\u1740-\u1751\u1760-\u176C\u176E-\u1770\u1780-\u17B3\u17D7\u17DC\u1820-\u1877\u1880-\u1884\u1887-\u18A8\u18AA\u18B0-\u18F5\u1900-\u191E\u1950-\u196D\u1970-\u1974\u1980-\u19AB\u19B0-\u19C9\u1A00-\u1A16\u1A20-\u1A54\u1AA7\u1B05-\u1B33\u1B45-\u1B4B\u1B83-\u1BA0\u1BAE\u1BAF\u1BBA-\u1BE5\u1C00-\u1C23\u1C4D-\u1C4F\u1C5A-\u1C7D\u1C80-\u1C88\u1CE9-\u1CEC\u1CEE-\u1CF1\u1CF5\u1CF6\u1D00-\u1DBF\u1E00-\u1F15\u1F18-\u1F1D\u1F20-\u1F45\u1F48-\u1F4D\u1F50-\u1F57\u1F59\u1F5B\u1F5D\u1F5F-\u1F7D\u1F80-\u1FB4\u1FB6-\u1FBC\u1FBE\u1FC2-\u1FC4\u1FC6-\u1FCC\u1FD0-\u1FD3\u1FD6-\u1FDB\u1FE0-\u1FEC\u1FF2-\u1FF4\u1FF6-\u1FFC\u2071\u207F\u2090-\u209C\u2102\u2107\u210A-\u2113\u2115\u2119-\u211D\u2124\u2126\u2128\u212A-\u212D\u212F-\u2139\u213C-\u213F\u2145-\u2149\u214E\u2183\u2184\u2C00-\u2C2E\u2C30-\u2C5E\u2C60-\u2CE4\u2CEB-\u2CEE\u2CF2\u2CF3\u2D00-\u2D25\u2D27\u2D2D\u2D30-\u2D67\u2D6F\u2D80-\u2D96\u2DA0-\u2DA6\u2DA8-\u2DAE\u2DB0-\u2DB6\u2DB8-\u2DBE\u2DC0-\u2DC6\u2DC8-\u2DCE\u2DD0-\u2DD6\u2DD8-\u2DDE\u2E2F\u3005\u3006\u3031-\u3035\u303B\u303C\u3041-\u3096\u309D-\u309F\u30A1-\u30FA\u30FC-\u30FF\u3105-\u312D\u3131-\u318E\u31A0-\u31BA\u31F0-\u31FF\u3400-\u4DB5\u4E00-\u9FD5\uA000-\uA48C\uA4D0-\uA4FD\uA500-\uA60C\uA610-\uA61F\uA62A\uA62B\uA640-\uA66E\uA67F-\uA69D\uA6A0-\uA6E5\uA717-\uA71F\uA722-\uA788\uA78B-\uA7AE\uA7B0-\uA7B7\uA7F7-\uA801\uA803-\uA805\uA807-\uA80A\uA80C-\uA822\uA840-\uA873\uA882-\uA8B3\uA8F2-\uA8F7\uA8FB\uA8FD\uA90A-\uA925\uA930-\uA946\uA960-\uA97C\uA984-\uA9B2\uA9CF\uA9E0-\uA9E4\uA9E6-\uA9EF\uA9FA-\uA9FE\uAA00-\uAA28\uAA40-\uAA42\uAA44-\uAA4B\uAA60-\uAA76\uAA7A\uAA7E-\uAAAF\uAAB1\uAAB5\uAAB6\uAAB9-\uAABD\uAAC0\uAAC2\uAADB-\uAADD\uAAE0-\uAAEA\uAAF2-\uAAF4\uAB01-\uAB06\uAB09-\uAB0E\uAB11-\uAB16\uAB20-\uAB26\uAB28-\uAB2E\uAB30-\uAB5A\uAB5C-\uAB65\uAB70-\uABE2\uAC00-\uD7A3\uD7B0-\uD7C6\uD7CB-\uD7FB\uF900-\uFA6D\uFA70-\uFAD9\uFB00-\uFB06\uFB13-\uFB17\uFB1D\uFB1F-\uFB28\uFB2A-\uFB36\uFB38-\uFB3C\uFB3E\uFB40\uFB41\uFB43\uFB44\uFB46-\uFBB1\uFBD3-\uFD3D\uFD50-\uFD8F\uFD92-\uFDC7\uFDF0-\uFDFB\uFE70-\uFE74\uFE76-\uFEFC\uFF21-\uFF3A\uFF41-\uFF5A\uFF66-\uFFBE\uFFC2-\uFFC7\uFFCA-\uFFCF\uFFD2-\uFFD7\uFFDA-\uFFDC]|\uD800[\uDC00-\uDC0B\uDC0D-\uDC26\uDC28-\uDC3A\uDC3C\uDC3D\uDC3F-\uDC4D\uDC50-\uDC5D\uDC80-\uDCFA\uDE80-\uDE9C\uDEA0-\uDED0\uDF00-\uDF1F\uDF30-\uDF40\uDF42-\uDF49\uDF50-\uDF75\uDF80-\uDF9D\uDFA0-\uDFC3\uDFC8-\uDFCF]|\uD801[\uDC00-\uDC9D\uDCB0-\uDCD3\uDCD8-\uDCFB\uDD00-\uDD27\uDD30-\uDD63\uDE00-\uDF36\uDF40-\uDF55\uDF60-\uDF67]|\uD802[\uDC00-\uDC05\uDC08\uDC0A-\uDC35\uDC37\uDC38\uDC3C\uDC3F-\uDC55\uDC60-\uDC76\uDC80-\uDC9E\uDCE0-\uDCF2\uDCF4\uDCF5\uDD00-\uDD15\uDD20-\uDD39\uDD80-\uDDB7\uDDBE\uDDBF\uDE00\uDE10-\uDE13\uDE15-\uDE17\uDE19-\uDE33\uDE60-\uDE7C\uDE80-\uDE9C\uDEC0-\uDEC7\uDEC9-\uDEE4\uDF00-\uDF35\uDF40-\uDF55\uDF60-\uDF72\uDF80-\uDF91]|\uD803[\uDC00-\uDC48\uDC80-\uDCB2\uDCC0-\uDCF2]|\uD804[\uDC03-\uDC37\uDC83-\uDCAF\uDCD0-\uDCE8\uDD03-\uDD26\uDD50-\uDD72\uDD76\uDD83-\uDDB2\uDDC1-\uDDC4\uDDDA\uDDDC\uDE00-\uDE11\uDE13-\uDE2B\uDE80-\uDE86\uDE88\uDE8A-\uDE8D\uDE8F-\uDE9D\uDE9F-\uDEA8\uDEB0-\uDEDE\uDF05-\uDF0C\uDF0F\uDF10\uDF13-\uDF28\uDF2A-\uDF30\uDF32\uDF33\uDF35-\uDF39\uDF3D\uDF50\uDF5D-\uDF61]|\uD805[\uDC00-\uDC34\uDC47-\uDC4A\uDC80-\uDCAF\uDCC4\uDCC5\uDCC7\uDD80-\uDDAE\uDDD8-\uDDDB\uDE00-\uDE2F\uDE44\uDE80-\uDEAA\uDF00-\uDF19]|\uD806[\uDCA0-\uDCDF\uDCFF\uDEC0-\uDEF8]|\uD807[\uDC00-\uDC08\uDC0A-\uDC2E\uDC40\uDC72-\uDC8F]|\uD808[\uDC00-\uDF99]|\uD809[\uDC80-\uDD43]|[\uD80C\uD81C-\uD820\uD840-\uD868\uD86A-\uD86C\uD86F-\uD872][\uDC00-\uDFFF]|\uD80D[\uDC00-\uDC2E]|\uD811[\uDC00-\uDE46]|\uD81A[\uDC00-\uDE38\uDE40-\uDE5E\uDED0-\uDEED\uDF00-\uDF2F\uDF40-\uDF43\uDF63-\uDF77\uDF7D-\uDF8F]|\uD81B[\uDF00-\uDF44\uDF50\uDF93-\uDF9F\uDFE0]|\uD821[\uDC00-\uDFEC]|\uD822[\uDC00-\uDEF2]|\uD82C[\uDC00\uDC01]|\uD82F[\uDC00-\uDC6A\uDC70-\uDC7C\uDC80-\uDC88\uDC90-\uDC99]|\uD835[\uDC00-\uDC54\uDC56-\uDC9C\uDC9E\uDC9F\uDCA2\uDCA5\uDCA6\uDCA9-\uDCAC\uDCAE-\uDCB9\uDCBB\uDCBD-\uDCC3\uDCC5-\uDD05\uDD07-\uDD0A\uDD0D-\uDD14\uDD16-\uDD1C\uDD1E-\uDD39\uDD3B-\uDD3E\uDD40-\uDD44\uDD46\uDD4A-\uDD50\uDD52-\uDEA5\uDEA8-\uDEC0\uDEC2-\uDEDA\uDEDC-\uDEFA\uDEFC-\uDF14\uDF16-\uDF34\uDF36-\uDF4E\uDF50-\uDF6E\uDF70-\uDF88\uDF8A-\uDFA8\uDFAA-\uDFC2\uDFC4-\uDFCB]|\uD83A[\uDC00-\uDCC4\uDD00-\uDD43]|\uD83B[\uDE00-\uDE03\uDE05-\uDE1F\uDE21\uDE22\uDE24\uDE27\uDE29-\uDE32\uDE34-\uDE37\uDE39\uDE3B\uDE42\uDE47\uDE49\uDE4B\uDE4D-\uDE4F\uDE51\uDE52\uDE54\uDE57\uDE59\uDE5B\uDE5D\uDE5F\uDE61\uDE62\uDE64\uDE67-\uDE6A\uDE6C-\uDE72\uDE74-\uDE77\uDE79-\uDE7C\uDE7E\uDE80-\uDE89\uDE8B-\uDE9B\uDEA1-\uDEA3\uDEA5-\uDEA9\uDEAB-\uDEBB]|\uD869[\uDC00-\uDED6\uDF00-\uDFFF]|\uD86D[\uDC00-\uDF34\uDF40-\uDFFF]|\uD86E[\uDC00-\uDC1D\uDC20-\uDFFF]|\uD873[\uDC00-\uDEA1]|\uD87E[\uDC00-\uDE1D])+/g while (result = wordRegex.exec(line)) word = result[0] if word[0] == "'" diff --git a/services/web/public/coffee/main.coffee b/services/web/public/coffee/main.coffee index c723031016..60cc38ae6a 100644 --- a/services/web/public/coffee/main.coffee +++ b/services/web/public/coffee/main.coffee @@ -2,6 +2,7 @@ define [ "main/project-list/index" "main/user-details" "main/account-settings" + "main/clear-sessions" "main/account-upgrade" "main/plans" "main/group-members" @@ -32,6 +33,3 @@ define [ "__MAIN_CLIENTSIDE_INCLUDES__" ], () -> angular.bootstrap(document.body, ["SharelatexApp"]) - - - diff --git a/services/web/public/coffee/main/clear-sessions.coffee b/services/web/public/coffee/main/clear-sessions.coffee new file mode 100644 index 0000000000..5524ff8d89 --- /dev/null +++ b/services/web/public/coffee/main/clear-sessions.coffee @@ -0,0 +1,20 @@ +define [ + "base" +], (App) -> + App.controller "ClearSessionsController", ["$scope", "$http", ($scope, $http) -> + + $scope.state = + otherSessions: window.otherSessions + error: false + success: false + + $scope.clearSessions = () -> + console.log ">> clearing all sessions" + $http({method: 'POST', url: "/user/sessions/clear", headers: {'X-CSRF-Token': window.csrfToken}}) + .success () -> + $scope.state.otherSessions = [] + $scope.state.error = false + $scope.state.success = true + .error () -> + $scope.state.error = true + ] diff --git a/services/web/test/UnitTests/coffee/User/UserControllerTests.coffee b/services/web/test/UnitTests/coffee/User/UserControllerTests.coffee index 38ca579acd..a9c98e02ec 100644 --- a/services/web/test/UnitTests/coffee/User/UserControllerTests.coffee +++ b/services/web/test/UnitTests/coffee/User/UserControllerTests.coffee @@ -81,6 +81,7 @@ describe "UserController", -> @res = send: sinon.stub() + sendStatus: sinon.stub() json: sinon.stub() @next = sinon.stub() describe "deleteUser", -> @@ -224,6 +225,29 @@ describe "UserController", -> }) .should.equal true + describe 'clearSessions', -> + + it 'should call revokeAllUserSessions', (done) -> + @UserController.clearSessions @req, @res + @UserSessionsManager.revokeAllUserSessions.callCount.should.equal 1 + done() + + it 'send a 201 response', (done) -> + @res.sendStatus = (status) => + status.should.equal 201 + done() + @UserController.clearSessions @req, @res + + describe 'when revokeAllUserSessions produces an error', -> + + it 'should call next with an error', (done) -> + @UserSessionsManager.revokeAllUserSessions.callsArgWith(2, new Error('woops')) + next = (err) => + expect(err).to.not.equal null + expect(err).to.be.instanceof Error + done() + @UserController.clearSessions @req, @res, next + describe "changePassword", -> it "should check the old password is the current one at the moment", (done)-> diff --git a/services/web/test/UnitTests/coffee/User/UserPagesControllerTests.coffee b/services/web/test/UnitTests/coffee/User/UserPagesControllerTests.coffee index 0df1d65fe6..bb9fa22a15 100644 --- a/services/web/test/UnitTests/coffee/User/UserPagesControllerTests.coffee +++ b/services/web/test/UnitTests/coffee/User/UserPagesControllerTests.coffee @@ -20,6 +20,8 @@ describe "UserPagesController", -> findById: sinon.stub().callsArgWith(1, null, @user) @UserGetter = getUser: sinon.stub().callsArgWith(2, null, @user) + @UserSessionsManager = + getAllUserSessions: sinon.stub() @dropboxStatus = {} @DropboxHandler = getUserRegistrationStatus : sinon.stub().callsArgWith(1, null, @dropboxStatus) @@ -27,11 +29,15 @@ describe "UserPagesController", -> notFound: sinon.stub() @AuthenticationController = getLoggedInUserId: sinon.stub().returns(@user._id) + getSessionUser: sinon.stub().returns(@user) @UserPagesController = SandboxedModule.require modulePath, requires: "settings-sharelatex":@settings - "logger-sharelatex": log:-> + "logger-sharelatex": + log:-> + err:-> "./UserLocator": @UserLocator "./UserGetter": @UserGetter + "./UserSessionsManager": @UserSessionsManager "../Errors/ErrorController": @ErrorController '../Dropbox/DropboxHandler': @DropboxHandler '../Authentication/AuthenticationController': @AuthenticationController @@ -100,6 +106,34 @@ describe "UserPagesController", -> done() @UserPagesController.loginPage @req, @res + describe 'sessionsPage', -> + + beforeEach -> + @UserSessionsManager.getAllUserSessions.callsArgWith(2, null, []) + + it 'should render user/sessions', (done) -> + @res.render = (page)-> + page.should.equal "user/sessions" + done() + @UserPagesController.sessionsPage @req, @res + + it 'should have called getAllUserSessions', (done) -> + @res.render = (page) => + @UserSessionsManager.getAllUserSessions.callCount.should.equal 1 + done() + @UserPagesController.sessionsPage @req, @res + + describe 'when getAllUserSessions produces an error', -> + + beforeEach -> + @UserSessionsManager.getAllUserSessions.callsArgWith(2, new Error('woops')) + + it 'should call next with an error', (done) -> + @next = (err) => + assert(err != null) + assert(err instanceof Error) + done() + @UserPagesController.sessionsPage @req, @res, @next describe "settingsPage", -> diff --git a/services/web/test/UnitTests/coffee/User/UserSessionsManagerTests.coffee b/services/web/test/UnitTests/coffee/User/UserSessionsManagerTests.coffee index 9a09aa88f0..f9bf846e54 100644 --- a/services/web/test/UnitTests/coffee/User/UserSessionsManagerTests.coffee +++ b/services/web/test/UnitTests/coffee/User/UserSessionsManagerTests.coffee @@ -21,6 +21,7 @@ describe 'UserSessionsManager', -> sadd: sinon.stub() srem: sinon.stub() smembers: sinon.stub() + mget: sinon.stub() expire: sinon.stub() @rclient.multi.returns(@rclient) @rclient.get.returns(@rclient) @@ -404,6 +405,97 @@ describe 'UserSessionsManager', -> @rclient.expire.callCount.should.equal 0 done() + describe 'getAllUserSessions', -> + + beforeEach -> + @sessionKeys = ['sess:one', 'sess:two', 'sess:three'] + @sessions = [ + '{"user": {"ip_address": "a", "session_created": "b"}}', + '{"passport": {"user": {"ip_address": "c", "session_created": "d"}}}' + ] + @exclude = ['two'] + @rclient.smembers.callsArgWith(1, null, @sessionKeys) + @rclient.mget.callsArgWith(1, null, @sessions) + @call = (callback) => + @UserSessionsManager.getAllUserSessions @user, @exclude, callback + + it 'should not produce an error', (done) -> + @call (err, sessions) => + expect(err).to.equal null + done() + + it 'should get sessions', (done) -> + @call (err, sessions) => + expect(sessions).to.deep.equal [ + { ip_address: 'a', session_created: 'b' }, + { ip_address: 'c', session_created: 'd' } + ] + done() + + it 'should have called rclient.smembers', (done) -> + @call (err, sessions) => + @rclient.smembers.callCount.should.equal 1 + done() + + it 'should have called rclient.mget', (done) -> + @call (err, sessions) => + @rclient.mget.callCount.should.equal 1 + done() + + describe 'when there are no other sessions', -> + + beforeEach -> + @sessionKeys = ['sess:two'] + @rclient.smembers.callsArgWith(1, null, @sessionKeys) + + it 'should not produce an error', (done) -> + @call (err, sessions) => + expect(err).to.equal null + done() + + it 'should produce an empty list of sessions', (done) -> + @call (err, sessions) => + expect(sessions).to.deep.equal [] + done() + + it 'should have called rclient.smembers', (done) -> + @call (err, sessions) => + @rclient.smembers.callCount.should.equal 1 + done() + + it 'should not have called rclient.mget', (done) -> + @call (err, sessions) => + @rclient.mget.callCount.should.equal 0 + done() + + describe 'when smembers produces an error', -> + + beforeEach -> + @rclient.smembers.callsArgWith(1, new Error('woops')) + + it 'should produce an error', (done) -> + @call (err, sessions) => + expect(err).to.not.equal null + expect(err).to.be.instanceof Error + done() + + it 'should not have called rclient.mget', (done) -> + @call (err, sessions) => + @rclient.mget.callCount.should.equal 0 + done() + + describe 'when mget produces an error', -> + + beforeEach -> + @rclient.mget.callsArgWith(1, new Error('woops')) + + it 'should produce an error', (done) -> + @call (err, sessions) => + expect(err).to.not.equal null + expect(err).to.be.instanceof Error + done() + + describe '_checkSessions', -> beforeEach -> diff --git a/services/web/test/acceptance/coffee/SessionTests.coffee b/services/web/test/acceptance/coffee/SessionTests.coffee index cff5b66406..56783b5b85 100644 --- a/services/web/test/acceptance/coffee/SessionTests.coffee +++ b/services/web/test/acceptance/coffee/SessionTests.coffee @@ -251,3 +251,115 @@ describe "Sessions", -> throw err done() ) + + describe 'three sessions, sessions page', -> + + before -> + # set up second session for this user + @user2 = new User() + @user2.email = @user1.email + @user2.password = @user1.password + @user3 = new User() + @user3.email = @user1.email + @user3.password = @user1.password + + + it "should allow the user to erase the other two sessions", (done) -> + async.series( + [ + (next) => + redis.clearUserSessions @user1, next + + # login, should add session to set + , (next) => + @user1.login (err) -> + next(err) + + , (next) => + redis.getUserSessions @user1, (err, sessions) => + expect(sessions.length).to.equal 1 + expect(sessions[0].slice(0, 5)).to.equal 'sess:' + next() + + # login again, should add the second session to set + , (next) => + @user2.login (err) -> + next(err) + + , (next) => + redis.getUserSessions @user1, (err, sessions) => + expect(sessions.length).to.equal 2 + expect(sessions[0].slice(0, 5)).to.equal 'sess:' + expect(sessions[1].slice(0, 5)).to.equal 'sess:' + next() + + # login third session, should add the second session to set + , (next) => + @user3.login (err) -> + next(err) + + , (next) => + redis.getUserSessions @user1, (err, sessions) => + expect(sessions.length).to.equal 3 + expect(sessions[0].slice(0, 5)).to.equal 'sess:' + expect(sessions[1].slice(0, 5)).to.equal 'sess:' + next() + + # check the sessions page + , (next) => + @user2.request.get { + uri: '/user/sessions' + }, (err, response, body) => + expect(err).to.be.oneOf [null, undefined] + expect(response.statusCode).to.equal 200 + next() + + # clear sessions from second session, should erase two of the three sessions + , (next) => + @user2.getCsrfToken (err) => + expect(err).to.be.oneOf [null, undefined] + @user2.request.post { + uri: '/user/sessions/clear' + }, (err) -> + next(err) + + , (next) => + redis.getUserSessions @user2, (err, sessions) => + expect(sessions.length).to.equal 1 + next() + + # users one and three should not be able to access settings page + , (next) => + @user1.getUserSettingsPage (err, statusCode) => + expect(err).to.equal null + expect(statusCode).to.equal 302 + next() + + , (next) => + @user3.getUserSettingsPage (err, statusCode) => + expect(err).to.equal null + expect(statusCode).to.equal 302 + next() + + # user two should still be logged in, and able to access settings page + , (next) => + @user2.getUserSettingsPage (err, statusCode) => + expect(err).to.equal null + expect(statusCode).to.equal 200 + next() + + # logout second session, should remove last session from set + , (next) => + @user2.logout (err) -> + next(err) + + , (next) => + redis.getUserSessions @user1, (err, sessions) => + expect(sessions.length).to.equal 0 + next() + + ], (err, result) => + if err + throw err + done() + )