cameleer/cameleer-server
1
0
Fork 0
Code Issues 47 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(security): revoke outstanding tokens on user role/group mutations and delete

Browse Source
This commit is contained in:
hsiegeln
2026-04-29 10:14:14 +02:00
parent 22e10b639f
commit 2934b67f6b
1 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
cameleer-server-app/src/main/java/io/cameleer/server/app/controller/UserAdminController.java
View File

@@ -150,6 +150,7 @@ public class UserAdminController {
@PathVariable UUID roleId, @PathVariable UUID roleId,
HttpServletRequest httpRequest) { HttpServletRequest httpRequest) {
rbacService.assignRoleToUser(userId, roleId); rbacService.assignRoleToUser(userId, roleId);
userRepository.revokeTokensBefore(userId, Instant.now().plusMillis(1));
auditService.log("assign_role_to_user", AuditCategory.USER_MGMT, userId, auditService.log("assign_role_to_user", AuditCategory.USER_MGMT, userId,
Map.of("roleId", roleId), AuditResult.SUCCESS, httpRequest); Map.of("roleId", roleId), AuditResult.SUCCESS, httpRequest);
return ResponseEntity.ok().build(); return ResponseEntity.ok().build();
@@ -162,6 +163,7 @@ public class UserAdminController {
@PathVariable UUID roleId, @PathVariable UUID roleId,
HttpServletRequest httpRequest) { HttpServletRequest httpRequest) {
rbacService.removeRoleFromUser(userId, roleId); rbacService.removeRoleFromUser(userId, roleId);
userRepository.revokeTokensBefore(userId, Instant.now().plusMillis(1));
auditService.log("remove_role_from_user", AuditCategory.USER_MGMT, userId, auditService.log("remove_role_from_user", AuditCategory.USER_MGMT, userId,
Map.of("roleId", roleId), AuditResult.SUCCESS, httpRequest); Map.of("roleId", roleId), AuditResult.SUCCESS, httpRequest);
return ResponseEntity.noContent().build(); return ResponseEntity.noContent().build();
@@ -174,6 +176,7 @@ public class UserAdminController {
@PathVariable UUID groupId, @PathVariable UUID groupId,
HttpServletRequest httpRequest) { HttpServletRequest httpRequest) {
rbacService.addUserToGroup(userId, groupId); rbacService.addUserToGroup(userId, groupId);
userRepository.revokeTokensBefore(userId, Instant.now().plusMillis(1));
auditService.log("add_user_to_group", AuditCategory.USER_MGMT, userId, auditService.log("add_user_to_group", AuditCategory.USER_MGMT, userId,
Map.of("groupId", groupId), AuditResult.SUCCESS, httpRequest); Map.of("groupId", groupId), AuditResult.SUCCESS, httpRequest);
return ResponseEntity.ok().build(); return ResponseEntity.ok().build();
@@ -186,6 +189,7 @@ public class UserAdminController {
@PathVariable UUID groupId, @PathVariable UUID groupId,
HttpServletRequest httpRequest) { HttpServletRequest httpRequest) {
rbacService.removeUserFromGroup(userId, groupId); rbacService.removeUserFromGroup(userId, groupId);
userRepository.revokeTokensBefore(userId, Instant.now().plusMillis(1));
auditService.log("remove_user_from_group", AuditCategory.USER_MGMT, userId, auditService.log("remove_user_from_group", AuditCategory.USER_MGMT, userId,
Map.of("groupId", groupId), AuditResult.SUCCESS, httpRequest); Map.of("groupId", groupId), AuditResult.SUCCESS, httpRequest);
return ResponseEntity.noContent().build(); return ResponseEntity.noContent().build();
@@ -202,6 +206,7 @@ public class UserAdminController {
if (isAdmin && rbacService.getEffectivePrincipalsForRole(SystemRole.ADMIN_ID).size() <= 1) { if (isAdmin && rbacService.getEffectivePrincipalsForRole(SystemRole.ADMIN_ID).size() <= 1) {
throw new ResponseStatusException(HttpStatus.CONFLICT, "Cannot delete the last admin user"); throw new ResponseStatusException(HttpStatus.CONFLICT, "Cannot delete the last admin user");
} }
userRepository.revokeTokensBefore(userId, Instant.now().plusMillis(1));
userRepository.delete(userId); userRepository.delete(userId);
auditService.log("delete_user", AuditCategory.USER_MGMT, userId, auditService.log("delete_user", AuditCategory.USER_MGMT, userId,
null, AuditResult.SUCCESS, httpRequest); null, AuditResult.SUCCESS, httpRequest);
@@ -231,7 +236,7 @@ public class UserAdminController {
} }
userRepository.setPassword(userId, passwordEncoder.encode(request.password())); userRepository.setPassword(userId, passwordEncoder.encode(request.password()));
// Revoke all existing tokens so the user must re-authenticate with the new password // Revoke all existing tokens so the user must re-authenticate with the new password
userRepository.revokeTokensBefore(userId, Instant.now()); userRepository.revokeTokensBefore(userId, Instant.now().plusMillis(1));
auditService.log("reset_password", AuditCategory.USER_MGMT, userId, null, AuditResult.SUCCESS, httpRequest); auditService.log("reset_password", AuditCategory.USER_MGMT, userId, null, AuditResult.SUCCESS, httpRequest);
return ResponseEntity.noContent().build(); return ResponseEntity.noContent().build();
} }