Disable cookie access when a user is disabled (#6971)

2025-12-18 06:24:24 +01:00 · 2025-10-30 23:35:28 +09:00
parent b1cba47adf
commit b8fcb83fd6
4 changed files with 110 additions and 4 deletions
--- a/BTCPayServer/Services/UserService.cs
+++ b/BTCPayServer/Services/UserService.cs
@@ -24,6 +24,7 @@ namespace BTCPayServer.Services
        private readonly FileService _fileService;
        private readonly EventAggregator _eventAggregator;
        private readonly ApplicationDbContextFactory _applicationDbContextFactory;
+        private readonly BTCPayServerSecurityStampValidator.DisabledUsers _disabledUsers;
        private readonly ILogger<UserService> _logger;

        public UserService(
@@ -32,6 +33,7 @@ namespace BTCPayServer.Services
            FileService fileService,
            EventAggregator eventAggregator,
            ApplicationDbContextFactory applicationDbContextFactory,
+            BTCPayServerSecurityStampValidator.DisabledUsers disabledUsers,
            ILogger<UserService> logger)
        {
            _serviceProvider = serviceProvider;
@@ -39,6 +41,7 @@ namespace BTCPayServer.Services
            _fileService = fileService;
            _eventAggregator = eventAggregator;
            _applicationDbContextFactory = applicationDbContextFactory;
+            _disabledUsers = disabledUsers;
            _logger = logger;
        }

@@ -94,7 +97,7 @@ namespace BTCPayServer.Services
        {
            return user.Approved || !user.RequiresApproval;
        }
-        
+
        public static bool TryCanLogin([NotNullWhen(true)] ApplicationUser? user, [MaybeNullWhen(true)] out string error)
        {
            error = null;
@@ -120,7 +123,7 @@ namespace BTCPayServer.Services
            }
            return true;
        }
-        
+
        public async Task<bool> SetUserApproval(string userId, bool approved, string loginLink)
        {
            using var scope = _serviceProvider.CreateScope();
@@ -130,7 +133,7 @@ namespace BTCPayServer.Services
            {
                return false;
            }
-            
+
            user.Approved = approved;
            var succeeded = await userManager.UpdateAsync(user) is { Succeeded: true };
            if (succeeded)
@@ -145,7 +148,7 @@ namespace BTCPayServer.Services

            return succeeded;
        }
-        
+
        public async Task<bool?> ToggleUser(string userId, DateTimeOffset? lockedOutDeadline)
        {
            using var scope = _serviceProvider.CreateScope();
@@ -161,6 +164,17 @@ namespace BTCPayServer.Services
            }

            var res = await userManager.SetLockoutEndDateAsync(user, lockedOutDeadline);
+            // Without this, the user won't be logged out automatically when his authentication ticket expires
+            if (lockedOutDeadline is not null)
+            {
+                await userManager.UpdateSecurityStampAsync(user);
+                _disabledUsers.Add(userId);
+            }
+            else
+            {
+                _disabledUsers.Remove(userId);
+            }
+
            if (res.Succeeded)
            {
                _logger.LogInformation("User {Email} is now {Status}", user.Email, (lockedOutDeadline is null ? "unlocked" : "locked"));