* Fix streaming sessions not being closed when revoking access to an app * Add tests for GHSA-7w3c-p9j8-mq3x
		
			
				
	
	
		
			40 lines
		
	
	
		
			1.3 KiB
		
	
	
	
		
			Ruby
		
	
	
	
	
	
			
		
		
	
	
			40 lines
		
	
	
		
			1.3 KiB
		
	
	
	
		
			Ruby
		
	
	
	
	
	
| # frozen_string_literal: true
 | |
| 
 | |
| module ApplicationExtension
 | |
|   extend ActiveSupport::Concern
 | |
| 
 | |
|   included do
 | |
|     include Redisable
 | |
| 
 | |
|     has_many :created_users, class_name: 'User', foreign_key: 'created_by_application_id', inverse_of: :created_by_application
 | |
| 
 | |
|     validates :name, length: { maximum: 60 }
 | |
|     validates :website, url: true, length: { maximum: 2_000 }, if: :website?
 | |
|     validates :redirect_uri, length: { maximum: 2_000 }
 | |
| 
 | |
|     # The relationship used between Applications and AccessTokens is using
 | |
|     # dependent: delete_all, which means the ActiveRecord callback in
 | |
|     # AccessTokenExtension is not run, so instead we manually announce to
 | |
|     # streaming that these tokens are being deleted.
 | |
|     before_destroy :close_streaming_sessions, prepend: true
 | |
|   end
 | |
| 
 | |
|   def confirmation_redirect_uri
 | |
|     redirect_uri.lines.first.strip
 | |
|   end
 | |
| 
 | |
|   def close_streaming_sessions(resource_owner = nil)
 | |
|     # TODO: #28793 Combine into a single topic
 | |
|     payload = Oj.dump(event: :kill)
 | |
|     scope = access_tokens
 | |
|     scope = scope.where(resource_owner_id: resource_owner.id) unless resource_owner.nil?
 | |
|     scope.in_batches do |tokens|
 | |
|       redis.pipelined do |pipeline|
 | |
|         tokens.ids.each do |id|
 | |
|           pipeline.publish("timeline:access_token:#{id}", payload)
 | |
|         end
 | |
|       end
 | |
|     end
 | |
|   end
 | |
| end
 |