Logout existing sessions after a username or password change

Closes #18443
qbittorrent · Sep 16, 2024 · 24c7227 · 24c7227
1 parent 4555a46
commit 24c7227
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 0 deletions.
diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp
@@ -299,13 +299,25 @@ const Http::Environment &WebApplication::env() const
     return m_env;
 }
 
+void WebApplication::logoutAllSessions()
+{
+	qDeleteAll(m_sessions);
+	m_sessions.clear();
+}
+
 void WebApplication::setUsername(const QString &username)
 {
+    if (!m_username.isEmpty() && (m_username != username))
+        logoutAllSessions();
+    m_username = username;
     m_authController->setUsername(username);
 }
 
 void WebApplication::setPasswordHash(const QByteArray &passwordHash)
 {
+    if (!m_passwordHash.isEmpty() && (m_passwordHash != passwordHash))
+        logoutAllSessions();
+    m_passwordHash = passwordHash;
     m_authController->setPasswordHash(passwordHash);
 }
 

diff --git a/src/webui/webapplication.h b/src/webui/webapplication.h
@@ -125,6 +125,7 @@ class WebApplication final : public ApplicationComponent<QObject>
     // Session management
     QString generateSid() const;
     void sessionInitialize();
+    void logoutAllSessions();
     bool isAuthNeeded();
     bool isPublicAPI(const QString &scope, const QString &action) const;
 
@@ -137,6 +138,8 @@ class WebApplication final : public ApplicationComponent<QObject>
 
     // Persistent data
     QHash<QString, WebSession *> m_sessions;
+    QString m_username;
+    QByteArray m_passwordHash;
 
     // Current data
     WebSession *m_currentSession = nullptr;