Password change needs to require user login to reset some cookies

closes pterodactyl#1793

Author: DaneEveritt

app/Http/Controllers/Api/Client/AccountController.php

@@ -4,6 +4,8 @@
 
 use Illuminate\Http\Request;
 use Illuminate\Http\Response;
+use Illuminate\Auth\AuthManager;
+use Illuminate\Http\JsonResponse;
 use Pterodactyl\Services\Users\UserUpdateService;
 use Pterodactyl\Transformers\Api\Client\AccountTransformer;
 use Pterodactyl\Http\Requests\Api\Client\Account\UpdateEmailRequest;
@@ -16,16 +18,23 @@ class AccountController extends ClientApiController
      */
     private $updateService;
 
+    /**
+     * @var \Illuminate\Auth\SessionGuard
+     */
+    private $sessionGuard;
+
     /**
      * AccountController constructor.
      *
+     * @param \Illuminate\Auth\AuthManager $sessionGuard
      * @param \Pterodactyl\Services\Users\UserUpdateService $updateService
      */
-    public function __construct(UserUpdateService $updateService)
+    public function __construct(AuthManager $sessionGuard, UserUpdateService $updateService)
     {
         parent::__construct();
 
         $this->updateService = $updateService;
+        $this->sessionGuard = $sessionGuard;
     }
 
     /**
@@ -56,18 +65,21 @@ public function updateEmail(UpdateEmailRequest $request): Response
     }
 
     /**
-     * Update the authenticated user's password.
+     * Update the authenticated user's password. All existing sessions will be logged
+     * out immediately.
      *
      * @param \Pterodactyl\Http\Requests\Api\Client\Account\UpdatePasswordRequest $request
-     * @return \Illuminate\Http\Response
+     * @return \Illuminate\Http\JsonResponse
      *
      * @throws \Pterodactyl\Exceptions\Model\DataValidationException
      * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
      */
-    public function updatePassword(UpdatePasswordRequest $request): Response
+    public function updatePassword(UpdatePasswordRequest $request): \Illuminate\Http\JsonResponse
     {
         $this->updateService->handle($request->user(), $request->validated());
 
-        return response('', Response::HTTP_CREATED);
+        $this->sessionGuard->logoutOtherDevices($request->input('current_password'));
+
+        return JsonResponse::create([], Response::HTTP_NO_CONTENT);
     }
 }

resources/scripts/components/dashboard/forms/UpdatePasswordForm.tsx

@@ -34,8 +34,8 @@ export default () => {
         clearFlashes('account:password');
         updateAccountPassword({ ...values })
             .then(() => {
-                resetForm();
-                addFlash({ key: 'account:password', type: 'success', message: 'Your password has been updated.' });
+                // @ts-ignore
+                window.location = '/auth/login';
             })
             .catch(error => addFlash({
                 key: 'account:password',

resources/scripts/components/elements/ContentBox.tsx

@@ -11,7 +11,12 @@ type Props = Readonly<React.DetailedHTMLProps<React.HTMLAttributes<HTMLDivElemen
 export default ({ title, borderColor, showFlashes, children, ...props }: Props) => (
     <div {...props}>
         {title && <h2 className={'text-neutral-300 mb-4 px-4'}>{title}</h2>}
-        {showFlashes && <FlashMessageRender byKey={typeof showFlashes === 'string' ? showFlashes : undefined}/>}
+        {showFlashes &&
+        <FlashMessageRender
+            byKey={typeof showFlashes === 'string' ? showFlashes : undefined}
+            className={'mb-4'}
+        />
+        }
         <div className={classNames('bg-neutral-700 p-4 rounded shadow-lg relative', borderColor, {
             'border-t-4': !!borderColor,
         })}>