From 73b75571e6546448dac8a67c6c231c14851ccac1 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Fri, 28 Jul 2017 13:15:29 +0200
Subject: core.usermanager, various modules: Disconnect other resources on
 password change (thanks waqas) (fixes #512)

---
 core/usermanager.lua                 |  8 ++++++--
 plugins/mod_admin_adhoc.lua          |  2 +-
 plugins/mod_admin_telnet.lua         |  2 +-
 plugins/mod_auth_internal_hashed.lua |  4 +++-
 plugins/mod_c2s.lua                  | 12 ++++++++++++
 plugins/mod_register.lua             |  2 +-
 6 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/core/usermanager.lua b/core/usermanager.lua
index d5132662..f795e8ae 100644
--- a/core/usermanager.lua
+++ b/core/usermanager.lua
@@ -76,8 +76,12 @@ local function get_password(username, host)
 	return hosts[host].users.get_password(username);
 end
 
-local function set_password(username, password, host)
-	return hosts[host].users.set_password(username, password);
+local function set_password(username, password, host, resource)
+	local ok, err = hosts[host].users.set_password(username, password);
+	if ok then
+		prosody.events.fire_event("user-password-changed", { username = username, host = host, resource = resource });
+	end
+	return ok, err;
 end
 
 local function user_exists(username, host)
diff --git a/plugins/mod_admin_adhoc.lua b/plugins/mod_admin_adhoc.lua
index 392e715e..f3de6793 100644
--- a/plugins/mod_admin_adhoc.lua
+++ b/plugins/mod_admin_adhoc.lua
@@ -97,7 +97,7 @@ local change_user_password_command_handler = adhoc_simple(change_user_password_l
 	if module_host ~= host then
 		return { status = "completed", error = { message = "Trying to change the password of a user on " .. host .. " but command was sent to " .. module_host}};
 	end
-	if usermanager_user_exists(username, host) and usermanager_set_password(username, fields.password, host) then
+	if usermanager_user_exists(username, host) and usermanager_set_password(username, fields.password, host, nil) then
 		return { status = "completed", info = "Password successfully changed" };
 	else
 		return { status = "completed", error = { message = "User does not exist" } };
diff --git a/plugins/mod_admin_telnet.lua b/plugins/mod_admin_telnet.lua
index 293f6320..5c01f8b8 100644
--- a/plugins/mod_admin_telnet.lua
+++ b/plugins/mod_admin_telnet.lua
@@ -1030,7 +1030,7 @@ function def_env.user:password(jid, password)
 	elseif not um.user_exists(username, host) then
 		return nil, "No such user";
 	end
-	local ok, err = um.set_password(username, password, host);
+	local ok, err = um.set_password(username, password, host, nil);
 	if ok then
 		return true, "User password changed";
 	else
diff --git a/plugins/mod_auth_internal_hashed.lua b/plugins/mod_auth_internal_hashed.lua
index 53e345e5..35764afb 100644
--- a/plugins/mod_auth_internal_hashed.lua
+++ b/plugins/mod_auth_internal_hashed.lua
@@ -120,7 +120,9 @@ function provider.get_sasl_handler()
 			local credentials = accounts:get(username);
 			if not credentials then return; end
 			if credentials.password then
-				usermanager.set_password(username, credentials.password, host);
+				if provider.set_password(username, credentials.password) == nil then
+					return nil, "Auth failed. Could not set hashed password from plaintext.";
+				end
 				credentials = accounts:get(username);
 				if not credentials then return; end
 			end
diff --git a/plugins/mod_c2s.lua b/plugins/mod_c2s.lua
index cfeb0f0e..fbc22be6 100644
--- a/plugins/mod_c2s.lua
+++ b/plugins/mod_c2s.lua
@@ -203,6 +203,18 @@ module:hook_global("user-deleted", function(event)
 	end
 end, 200);
 
+module:hook_global("user-password-changed", function(event)
+	local username, host, resource = event.username, event.host, event.resource;
+	local user = hosts[host].sessions[username];
+	if user and user.sessions then
+		for r, session in pairs(user.sessions) do
+			if r ~= resource then
+				session:close{ condition = "reset", text = "Password changed" };
+			end
+		end
+	end
+end, 200);
+
 --- Port listener
 function listener.onconnect(conn)
 	local session = sm_new_session(conn);
diff --git a/plugins/mod_register.lua b/plugins/mod_register.lua
index fd5339d9..832dd991 100644
--- a/plugins/mod_register.lua
+++ b/plugins/mod_register.lua
@@ -130,7 +130,7 @@ local function handle_registration_stanza(event)
 			local password = query:get_child_text("password");
 			if username and password then
 				if username == session.username then
-					if usermanager_set_password(username, password, session.host) then
+					if usermanager_set_password(username, password, session.host, session.resource) then
 						session.send(st.reply(stanza));
 					else
 						-- TODO unable to write file, file may be locked, etc, what's the correct error?
-- 
cgit v1.2.3