fix(security): revoke tokens and invalidate sessions on password change (#117)

* fix(security): revoke tokens and invalidate sessions on password change

  - Introduce RevokeUserGrants job (replaces RevokeUserGrantsOnExplicitLogout)
    with an optional client_id and a reason parameter; remove the guard
    clause that silently prevented all-client revocation.
  - Wire RevokeUserGrants to UserPasswordResetSuccessful so all OAuth2
    tokens are revoked whenever a password is reset or changed.
  - Rotate remember_token in User::setPassword() to invalidate remember-me
    cookies on other devices.
  - Regenerate the session in UserApiController::updateMe() after a
    password change to protect against session fixation.
  - Add DELETE /admin/api/v1/users/me/tokens endpoint with a corresponding
    "Sign Out All Other Devices" button on the profile page.
  - Add PasswordChangeRevokeTokenTest covering all eight scenarios from
    the security specification.

* refactor(security): replace reason flag with RevokeUserGrants subclass hierarchy

  Replace the string `$reason` parameter on RevokeUserGrants with a proper
  class hierarchy. Make RevokeUserGrants abstract and introduce three concrete
  specialisations:

  - RevokeUserGrantsOnExplicitLogout   – user-initiated logout
  - RevokeUserGrantsOnPasswordChange   – password reset / profile update
  - RevokeUserGrantsOnSessionRevocation – "sign out all other devices"

  Each subclass encodes its reason in the constructor, eliminating stringly-typed
  flags at every call site. Update all dispatch sites and the
  PasswordChangeRevokeTokenTest to use the appropriate concrete class.
  Fix ReflectionException in tests by reflecting on the abstract parent class
  (where the private properties are declared) rather than on the subclass.

* refactor(security): move security side-effects into service layer and fix job retries

  - Add REASON constant to each RevokeUserGrants subclass so the reason
    string is defined once on the class that owns it.
  - Extract revokeAllMyTokens logic into IUserService::revokeAllGrantsOnSessionRevocation()
    so that setRememberToken() is called inside a Doctrine transaction and
    the rotated token is actually persisted.
  - Move session regeneration from UserApiController::updateMe() into
    UserService::update(), triggered by the real password-change condition
    ($former_password != $user->getPassword()) rather than the presence of
    the password field in the request payload.
  - Fix RevokeUserGrants retry behaviour: catch the exception from
    revokeUsersToken(), log it at warning level with the attempt count,
    then re-throw so the queue worker schedules the next retry. Final
    failure is still logged at error level via failed().

* fix(security): eliminate pre-commit side-effects and stale IP in RevokeUserGrants

  Audit records (AddUserAction, EmitAuditLogJob) were dispatched before
  revokeUsersToken() ran, so a transient failure would leave duplicate and
  misleading entries in the audit history on each retry.

  Move both dispatches to after revokeUsersToken() returns cleanly so audit
  records are only emitted on success.

  Capture IPHelper::getUserIp() in the constructor where the originating
  request context is still valid, and store it as a job property. Replace
  the two in-handle IPHelper calls with the stored value so the correct
  client IP is recorded regardless of when the worker processes the job.

* tyle(session): use Session facade consistently in UserService

  Replace request()->session()->regenerate() with Session::regenerate()
  to match the pattern used throughout the rest of the project, and add
  the missing Session facade import.

Author: mulldug

app/Http/Controllers/Api/UserApiController.php

@@ -247,6 +247,15 @@ public function updateMe()
         return $this->update(Auth::user()->getId());
     }
 
+    public function revokeAllMyTokens()
+    {
+        if (!Auth::check())
+            return $this->error403();
+
+        $this->service->revokeAllGrantsOnSessionRevocation(Auth::user()->getId());
+        return $this->deleted();
+    }
+
     public function updateMyPic(){
         if (!Auth::check())
             return $this->error403();

app/Http/Controllers/UserController.php

@@ -13,6 +13,7 @@
  **/
 
 use App\Http\Controllers\OpenId\DiscoveryController;
+use App\Jobs\RevokeUserGrantsOnExplicitLogout;
 use App\Http\Controllers\OpenId\OpenIdController;
 use App\Http\Controllers\Traits\JsonResponses;
 use App\Http\Utils\CountryList;
@@ -673,7 +674,7 @@ public function getIdentity($identifier)
     public function logout()
     {
         $user = $this->auth_service->getCurrentUser();
-        //RevokeUserGrantsOnExplicitLogout::dispatch($user)->afterResponse();
+        // RevokeUserGrantsOnExplicitLogout::dispatch($user)->afterResponse();
         $this->auth_service->logout();
         Session::flush();
         Session::regenerate();

app/Jobs/RevokeUserGrants.php

@@ -0,0 +1,122 @@
+<?php namespace App\Jobs;
+/*
+ * Copyright 2024 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Auth\User;
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Foundation\Bus\Dispatchable;
+use Illuminate\Queue\InteractsWithQueue;
+use Illuminate\Queue\SerializesModels;
+use Illuminate\Support\Facades\Log;
+use OAuth2\Services\ITokenService;
+use Utils\IPHelper;
+
+/**
+ * Class RevokeUserGrants
+ * @package App\Jobs
+ */
+abstract class RevokeUserGrants implements ShouldQueue
+{
+    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
+
+    public $tries = 5;
+
+    public $timeout = 0;
+
+    /**
+     * @var int
+     */
+    private int $user_id;
+
+    /**
+     * @var string|null
+     */
+    private ?string $client_id;
+
+    /**
+     * @var string
+     */
+    private string $reason;
+
+    /**
+     * @var string
+     */
+    private string $client_ip;
+
+    /**
+     * @param User $user
+     * @param string|null $client_id  null = revoke across all clients
+     * @param string $reason          audit message suffix
+     */
+    public function __construct(User $user, ?string $client_id, string $reason)
+    {
+        $this->user_id    = $user->getId();
+        $this->client_id  = $client_id;
+        $this->reason     = $reason;
+        $this->client_ip  = IPHelper::getUserIp();
+        Log::debug(sprintf(
+            "RevokeUserGrants::constructor user %s client_id %s reason %s",
+            $this->user_id,
+            $client_id ?? 'N/A',
+            $reason
+        ));
+    }
+
+    public function handle(ITokenService $service): void
+    {
+        Log::debug("RevokeUserGrants::handle");
+
+        try {
+            $service->revokeUsersToken($this->user_id, $this->client_id);
+        } catch (\Exception $ex) {
+            Log::warning(sprintf("RevokeUserGrants::handle attempt %d failed: %s",
+                $this->attempts(), $ex->getMessage()));
+            throw $ex;
+        }
+
+        $scope = !empty($this->client_id)
+            ? sprintf("client %s", $this->client_id)
+            : "all clients";
+
+        $action = sprintf(
+            "Revoking all grants for user %s on %s due to %s.",
+            $this->user_id,
+            $scope,
+            $this->reason
+        );
+
+        AddUserAction::dispatch($this->user_id, $this->client_ip, $action);
+
+        // Emit to OTEL audit log (Elasticsearch) if enabled
+        if (config('opentelemetry.enabled', false)) {
+            EmitAuditLogJob::dispatch('audit.security.tokens_revoked', [
+                'audit.action'      => 'revoke_tokens',
+                'audit.entity'      => 'User',
+                'audit.entity_id'   => (string) $this->user_id,
+                'audit.timestamp'   => now()->toISOString(),
+                'audit.description' => $action,
+                'audit.reason'      => $this->reason,
+                'audit.scope'       => $scope,
+                'auth.user.id'      => $this->user_id,
+                'client.ip'         => $this->client_ip,
+                'elasticsearch.index' => config('opentelemetry.logs.elasticsearch_index', 'logs-audit'),
+            ]);
+        }
+    }
+
+    public function failed(\Throwable $exception): void
+    {
+        Log::error(sprintf("RevokeUserGrants::failed %s", $exception->getMessage()));
+    }
+}

app/Jobs/RevokeUserGrantsOnExplicitLogout.php

@@ -13,71 +13,18 @@
  **/
 
 use Auth\User;
-use Illuminate\Bus\Queueable;
-use Illuminate\Contracts\Queue\ShouldQueue;
-use Illuminate\Foundation\Bus\Dispatchable;
-use Illuminate\Queue\InteractsWithQueue;
-use Illuminate\Queue\SerializesModels;
-use Illuminate\Support\Facades\Log;
-use OAuth2\Services\ITokenService;
-use Utils\IPHelper;
 
 /**
- * Class RevokeUserGrants
+ * Class RevokeUserGrantsOnExplicitLogout
+ * Revokes all OAuth2 grants for a user when they explicitly log out.
  * @package App\Jobs
  */
-class RevokeUserGrantsOnExplicitLogout implements ShouldQueue
+class RevokeUserGrantsOnExplicitLogout extends RevokeUserGrants
 {
-    use Dispatchable, InteractsWithQueue, Queueable, SerializesModels;
+    const REASON = 'explicit logout';
 
-    public $tries = 5;
-
-    public $timeout = 0;
-
-    /**
-     * @var int
-     */
-    private $user_id;
-
-    /**
-     * @var string
-     */
-    private $client_id;
-
-
-    /**
-     * @param User $user
-     * @param string|null $client_id
-     */
-    public function __construct(User $user, ?string $client_id = null){
-        $this->user_id = $user->getId();
-        $this->client_id = $client_id;
-        Log::debug(sprintf("RevokeUserGrants::constructor user %s client id %s", $this->user_id, !empty($client_id)? $client_id :"N/A"));
-    }
-
-    public function handle(ITokenService $service){
-        Log::debug(sprintf("RevokeUserGrants::handle"));
-
-        if(empty($this->client_id)) {
-            return;
-        }
-        try{
-            $action = sprintf
-            (
-              "Revoking all grants for user %s on %s due explicit Log out.",
-                $this->user_id,  sprintf("Client %s", $this->client_id)
-            );
-
-            AddUserAction::dispatch($this->user_id, IPHelper::getUserIp(), $action);
-            $service->revokeUsersToken($this->user_id, $this->client_id);
-        }
-        catch (\Exception $ex) {
-            Log::error($ex);
-        }
-    }
-
-    public function failed(\Throwable $exception)
+    public function __construct(User $user, ?string $client_id = null)
     {
-        Log::error(sprintf( "RevokeUserGrants::failed %s", $exception->getMessage()));
+        parent::__construct($user, $client_id, self::REASON);
     }
-}
+}

app/Jobs/RevokeUserGrantsOnPasswordChange.php

@@ -0,0 +1,30 @@
+<?php namespace App\Jobs;
+/*
+ * Copyright 2024 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Auth\User;
+
+/**
+ * Class RevokeUserGrantsOnPasswordChange
+ * Revokes all OAuth2 grants for a user across all clients after a password change.
+ * @package App\Jobs
+ */
+class RevokeUserGrantsOnPasswordChange extends RevokeUserGrants
+{
+    const REASON = 'password change';
+
+    public function __construct(User $user)
+    {
+        parent::__construct($user, null, self::REASON);
+    }
+}

app/Jobs/RevokeUserGrantsOnSessionRevocation.php

@@ -0,0 +1,30 @@
+<?php namespace App\Jobs;
+/*
+ * Copyright 2024 OpenStack Foundation
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ **/
+
+use Auth\User;
+
+/**
+ * Class RevokeUserGrantsOnSessionRevocation
+ * Revokes all OAuth2 grants for a user when they explicitly sign out all other devices.
+ * @package App\Jobs
+ */
+class RevokeUserGrantsOnSessionRevocation extends RevokeUserGrants
+{
+    const REASON = 'user-initiated session revocation';
+
+    public function __construct(User $user)
+    {
+        parent::__construct($user, null, self::REASON);
+    }
+}

app/Providers/EventServiceProvider.php

@@ -19,6 +19,7 @@
 use App\Events\UserLocked;
 use App\Events\UserPasswordResetRequestCreated;
 use App\Events\UserPasswordResetSuccessful;
+use App\Jobs\RevokeUserGrantsOnPasswordChange;
 use App\Events\UserSpamStateUpdated;
 use App\Audit\AuditContext;
 use App\libs\Auth\Repositories\IUserPasswordResetRequestRepository;
@@ -57,7 +58,7 @@ final class EventServiceProvider extends ServiceProvider
         'Illuminate\Database\Events\QueryExecuted' => [
         ],
         'Illuminate\Auth\Events\Logout' => [
-            //'App\Listeners\OnUserLogout',
+            // 'App\Listeners\OnUserLogout',
         ],
         'Illuminate\Auth\Events\Login' => [
             'App\Listeners\OnUserLogin',
@@ -169,6 +170,8 @@ public function boot()
             if(is_null($user)) return;
             if(!$user instanceof User) return;
             Mail::queue(new UserPasswordResetMail($user));
+            // Revoke all OAuth2 tokens for this user across all clients
+            RevokeUserGrantsOnPasswordChange::dispatch($user)->afterResponse();
         });
 
         Event::listen(OAuth2ClientLocked::class, function($event){

app/Services/OpenId/UserService.php

@@ -15,6 +15,7 @@
 use App\Events\UserEmailUpdated;
 use App\Events\UserPasswordResetSuccessful;
 use App\Jobs\AddUserAction;
+use App\Jobs\RevokeUserGrantsOnSessionRevocation;
 use App\Jobs\PublishUserDeleted;
 use App\Jobs\PublishUserUpdated;
 use App\libs\Auth\Factories\UserFactory;
@@ -33,6 +34,7 @@
 use Illuminate\Support\Facades\Config;
 use Illuminate\Support\Facades\Event;
 use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Session;
 use Illuminate\Support\Facades\Mail;
 use Illuminate\Support\Facades\Storage;
 use models\exceptions\EntityNotFoundException;
@@ -292,7 +294,9 @@ public function create(array $payload): IEntity
      */
     public function update(int $id, array $payload): IEntity
     {
-        $user = $this->tx_service->transaction(function () use ($id, $payload) {
+        $password_changed = false;
+
+        $user = $this->tx_service->transaction(function () use ($id, $payload, &$password_changed) {
 
             $user = $this->repository->getById($id);
 
@@ -372,12 +376,17 @@ public function update(int $id, array $payload): IEntity
 
             if ($former_password != $user->getPassword()) {
                 Log::warning(sprintf("UserService::update use id %s - password changed", $id));
-                Event::dispatch(new UserPasswordResetSuccessful($user->getId()));
+                $password_changed = true;
             }
 
             return $user;
         });
 
+        if ($password_changed) {
+            Session::regenerate();
+            Event::dispatch(new UserPasswordResetSuccessful($user->getId()));
+        }
+
         try {
             if (Config::get("queue.enable_message_broker", false) == true)
                 PublishUserUpdated::dispatch($user)->onConnection('message_broker');
@@ -473,6 +482,21 @@ public function updateProfilePhoto($user_id, UploadedFile $file, $max_file_size
         return $user;
     }
 
+    public function revokeAllGrantsOnSessionRevocation(int $user_id): void
+    {
+        $user = $this->tx_service->transaction(function () use ($user_id) {
+            $user = $this->repository->getById($user_id);
+            if (!$user instanceof User)
+                throw new EntityNotFoundException("User not found.");
+
+            $user->setRememberToken(\Illuminate\Support\Str::random(60));
+
+            return $user;
+        });
+
+        RevokeUserGrantsOnSessionRevocation::dispatch($user)->afterResponse();
+    }
+
     public function notifyMonitoredSecurityGroupActivity
     (
         string $action,