Deauthenticate websockets and set status to offline when user account deactivated (#4551)

4 files changed, 38 insertions, 5 deletions

diff --git a/api/user.go b/api/user.go
index 2238aca8b..278199f7c 100644
--- a/api/user.go
+++ b/api/user.go
@@ -750,6 +750,10 @@ func RevokeSessionById(c *Context, sessionId string) {
 		}
 
 		RevokeWebrtcToken(session.Id)
+
+		if einterfaces.GetClusterInterface() != nil {
+			einterfaces.GetClusterInterface().RemoveAllSessionsForUserId(session.UserId)
+		}
 	}
 }
 
@@ -766,7 +770,6 @@ func RevokeAllSession(c *Context, userId string) {
 			if session.IsOAuth {
 				RevokeAccessToken(session.Token)
 			} else {
-				sessionCache.Remove(session.Token)
 				if result := <-Srv.Store.Session().Remove(session.Id); result.Err != nil {
 					c.Err = result.Err
 					return
@@ -776,6 +779,8 @@ func RevokeAllSession(c *Context, userId string) {
 			RevokeWebrtcToken(session.Id)
 		}
 	}
+
+	RemoveAllSessionsForUserId(userId)
 }
 
 // UGH...
@@ -790,7 +795,6 @@ func RevokeAllSessionsNoContext(userId string) *model.AppError {
 			if session.IsOAuth {
 				RevokeAccessToken(session.Token)
 			} else {
-				sessionCache.Remove(session.Token)
 				if result := <-Srv.Store.Session().Remove(session.Id); result.Err != nil {
 					return result.Err
 				}
@@ -799,6 +803,9 @@ func RevokeAllSessionsNoContext(userId string) *model.AppError {
 			RevokeWebrtcToken(session.Id)
 		}
 	}
+
+	RemoveAllSessionsForUserId(userId)
+
 	return nil
 }
 
@@ -1590,6 +1597,10 @@ func updateActive(c *Context, w http.ResponseWriter, r *http.Request) {
 	if ruser, err := UpdateActive(user, active); err != nil {
 		c.Err = err
 	} else {
+		if !active {
+			SetStatusOffline(ruser.Id, false)
+		}
+
 		c.LogAuditWithUserId(ruser.Id, fmt.Sprintf("active=%v", active))
 		w.Write([]byte(ruser.ToJson()))
 	}
diff --git a/api/user_test.go b/api/user_test.go
index f91d71177..0d67030d2 100644
--- a/api/user_test.go
+++ b/api/user_test.go
@@ -1133,8 +1133,9 @@ func TestUserUpdateDeviceId(t *testing.T) {
 }
 
 func TestUserUpdateActive(t *testing.T) {
-	th := Setup()
+	th := Setup().InitSystemAdmin()
 	Client := th.CreateClient()
+	SystemAdminClient := th.SystemAdminClient
 
 	team := &model.Team{DisplayName: "Name", Name: "z-z-" + model.NewId() + "a", Email: "test@nowhere.com", Type: model.TEAM_OPEN}
 	team = Client.Must(Client.CreateTeam(team)).Data.(*model.Team)
@@ -1187,6 +1188,18 @@ func TestUserUpdateActive(t *testing.T) {
 	if _, err := Client.UpdateActive("12345678901234567890123456", false); err == nil {
 		t.Fatal("Should have errored, bad id")
 	}
+
+	SetStatusOnline(user3.Id, "", false)
+
+	if _, err := SystemAdminClient.UpdateActive(user3.Id, false); err != nil {
+		t.Fatal(err)
+	}
+
+	if status, err := GetStatus(user3.Id); err != nil {
+		t.Fatal(err)
+	} else if status.Status != model.STATUS_OFFLINE {
+		t.Fatal("status should have been set to offline")
+	}
 }
 
 func TestUserPermDelete(t *testing.T) {
diff --git a/api/web_conn.go b/api/web_conn.go
index c906b7c95..ae2a274d4 100644
--- a/api/web_conn.go
+++ b/api/web_conn.go
@@ -140,7 +140,16 @@ func (webCon *WebConn) InvalidateCache() {
 }
 
 func (webCon *WebConn) isAuthenticated() bool {
-	return webCon.SessionToken != ""
+	if webCon.SessionToken == "" {
+		return false
+	}
+
+	session := GetSession(webCon.SessionToken)
+	if session == nil || session.IsExpired() {
+		return false
+	}
+
+	return true
 }
 
 func (webCon *WebConn) SendHello() {
diff --git a/api/websocket_router.go b/api/websocket_router.go
index 504e434b7..989d41373 100644
--- a/api/websocket_router.go
+++ b/api/websocket_router.go
@@ -63,7 +63,7 @@ func (wr *WebSocketRouter) ServeWebSocket(conn *WebConn, r *model.WebSocketReque
 		return
 	}
 
-	if conn.SessionToken == "" {
+	if !conn.isAuthenticated() {
 		err := model.NewLocAppError("ServeWebSocket", "api.web_socket_router.not_authenticated.app_error", nil, "")
 		wr.ReturnWebSocketError(conn, r, err)
 		return