yv01p/Umbraco-CMS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Retrieve only user external logins when invalidate following removal of backoffice external user login (#19766)

Browse Source 
* Retrieve only user external logins when invalidate following removal of backoffice external user login.

* Improved variable name.
This commit is contained in:
Andy Butland
2025-07-22 09:50:05 +02:00
committed by kjac
parent a0406b1406
commit 8cc6508b22
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
src/Umbraco.Infrastructure/Persistence/Repositories/Implement/UserRepository.cs
View File

@@ -1264,13 +1264,14 @@ SELECT 4 AS [Key], COUNT(id) AS [Value] FROM umbracoUser WHERE userDisabled = 0
/// <inheritdoc />
public void InvalidateSessionsForRemovedProviders(IEnumerable<string> currentLoginProviders)
{
// Get all the user or member keys associated with the removed providers.
// Get all the user keys associated with the removed providers.
Sql<ISqlContext> idsQuery = SqlContext.Sql()
.Select<ExternalLoginDto>(x => x.UserOrMemberKey)
.From<ExternalLoginDto>()
.Where<ExternalLoginDto>(x => !x.LoginProvider.StartsWith(Constants.Security.MemberExternalAuthenticationTypePrefix)) // Only invalidate sessions relating to backoffice users, not members.
.WhereNotIn<ExternalLoginDto>(x => x.LoginProvider, currentLoginProviders);
List<Guid> userAndMemberKeysAssociatedWithRemovedProviders = Database.Fetch<Guid>(idsQuery);
if (userAndMemberKeysAssociatedWithRemovedProviders.Count == 0)
List<Guid> userKeysAssociatedWithRemovedProviders = Database.Fetch<Guid>(idsQuery);
if (userKeysAssociatedWithRemovedProviders.Count == 0)
{
return;
}
@@ -1278,12 +1279,12 @@ SELECT 4 AS [Key], COUNT(id) AS [Value] FROM umbracoUser WHERE userDisabled = 0
// Invalidate the security stamps on the users associated with the removed providers.
Sql<ISqlContext> updateSecurityStampsQuery = Sql()
.Update<UserDto>(u => u.Set(x => x.SecurityStampToken, "0".PadLeft(32, '0')))
.WhereIn<UserDto>(x => x.Key, userAndMemberKeysAssociatedWithRemovedProviders);
.WhereIn<UserDto>(x => x.Key, userKeysAssociatedWithRemovedProviders);
Database.Execute(updateSecurityStampsQuery);
// Delete the OpenIddict tokens for the users associated with the removed providers.
// The following is safe from SQL injection as we are dealing with GUIDs, not strings.
var userKeysForInClause = string.Join("','", userAndMemberKeysAssociatedWithRemovedProviders.Select(x => x.ToString()));
var userKeysForInClause = string.Join("','", userKeysAssociatedWithRemovedProviders.Select(x => x.ToString()));
Database.Execute("DELETE FROM umbracoOpenIddictTokens WHERE Subject IN ('" + userKeysForInClause + "')");
}