From: Tom Hughes <tom@compton.nu>
Date: Fri, 23 Dec 2022 16:24:10 +0000 (+0000)
Subject: Revoke authentication tokens when a user is deleted
X-Git-Tag: live~1418
X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/445e8162e976a6894b2bc942a359e51479de69d0

Revoke authentication tokens when a user is deleted
---

diff --git a/app/models/user.rb b/app/models/user.rb
index d7bfb2235..c809b6192 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -210,6 +210,7 @@ class User < ApplicationRecord
     # Mark the account as deleted and remove personal data
     event :soft_destroy do
       before do
+        revoke_authentication_tokens
         remove_personal_data
       end
 
@@ -299,6 +300,13 @@ class User < ApplicationRecord
     blocks.active.detect(&:needs_view?)
   end
 
+  ##
+  # revoke any authentication tokens
+  def revoke_authentication_tokens
+    oauth_tokens.authorized.each(&:invalidate!)
+    access_tokens.not_expired.each(&:revoke)
+  end
+
   ##
   # remove personal data - leave the account but purge most personal data
   def remove_personal_data