refactor(security): move security side-effects into service layer and fix job retries

mulldug · mulldug · commit 630d325b4f02 · 2026-03-12T13:16:27.000-05:00
- Add REASON constant to each RevokeUserGrants subclass so the reason
    string is defined once on the class that owns it.
  - Extract revokeAllMyTokens logic into IUserService::revokeAllGrantsOnSessionRevocation()
    so that setRememberToken() is called inside a Doctrine transaction and
    the rotated token is actually persisted.
  - Move session regeneration from UserApiController::updateMe() into
    UserService::update(), triggered by the real password-change condition
    ($former_password != $user-&gt;getPassword()) rather than the presence of
    the password field in the request payload.
  - Fix RevokeUserGrants retry behaviour: catch the exception from
    revokeUsersToken(), log it at warning level with the attempt count,
    then re-throw so the queue worker schedules the next retry. Final
    failure is still logged at error level via failed().
diff --git a/app/Http/Controllers/Api/UserApiController.php b/app/Http/Controllers/Api/UserApiController.php
@@ -13,7 +13,6 @@
  **/
 
 use App\Http\Controllers\APICRUDController;
-use App\Jobs\RevokeUserGrantsOnSessionRevocation;
 use App\Http\Controllers\Traits\RequestProcessor;
 use App\Http\Controllers\UserValidationRulesFactory;
 use App\ModelSerializers\SerializerRegistry;
@@ -245,22 +244,15 @@ public function updateMe()
         if (!Auth::check())
             return $this->error403();
 
-        $password_changed = request()->filled('password');
-        $response = $this->update(Auth::user()->getId());
-        if ($password_changed) {
-            request()->session()->regenerate();
-        }
-        return $response;
+        return $this->update(Auth::user()->getId());
     }
 
     public function revokeAllMyTokens()
     {
         if (!Auth::check())
             return $this->error403();
 
-        $user = Auth::user();
-        RevokeUserGrantsOnSessionRevocation::dispatch($user)->afterResponse();
-        $user->setRememberToken(\Illuminate\Support\Str::random(60));
+        $this->service->revokeAllGrantsOnSessionRevocation(Auth::user()->getId());
         return $this->deleted();
     }
 
diff --git a/app/Jobs/RevokeUserGrants.php b/app/Jobs/RevokeUserGrants.php
@@ -71,39 +71,41 @@ public function handle(ITokenService $service): void
     {
         Log::debug("RevokeUserGrants::handle");
 
-        try {
-            $scope = !empty($this->client_id)
-                ? sprintf("client %s", $this->client_id)
-                : "all clients";
+        $scope = !empty($this->client_id)
+            ? sprintf("client %s", $this->client_id)
+            : "all clients";
 
-            $action = sprintf(
-                "Revoking all grants for user %s on %s due to %s.",
-                $this->user_id,
-                $scope,
-                $this->reason
-            );
+        $action = sprintf(
+            "Revoking all grants for user %s on %s due to %s.",
+            $this->user_id,
+            $scope,
+            $this->reason
+        );
 
-            AddUserAction::dispatch($this->user_id, IPHelper::getUserIp(), $action);
+        AddUserAction::dispatch($this->user_id, IPHelper::getUserIp(), $action);
 
-            // Emit to OTEL audit log (Elasticsearch) if enabled
-            if (config('opentelemetry.enabled', false)) {
-                EmitAuditLogJob::dispatch('audit.security.tokens_revoked', [
-                    'audit.action'      => 'revoke_tokens',
-                    'audit.entity'      => 'User',
-                    'audit.entity_id'   => (string) $this->user_id,
-                    'audit.timestamp'   => now()->toISOString(),
-                    'audit.description' => $action,
-                    'audit.reason'      => $this->reason,
-                    'audit.scope'       => $scope,
-                    'auth.user.id'      => $this->user_id,
-                    'client.ip'         => IPHelper::getUserIp(),
-                    'elasticsearch.index' => config('opentelemetry.logs.elasticsearch_index', 'logs-audit'),
-                ]);
-            }
+        // Emit to OTEL audit log (Elasticsearch) if enabled
+        if (config('opentelemetry.enabled', false)) {
+            EmitAuditLogJob::dispatch('audit.security.tokens_revoked', [
+                'audit.action'      => 'revoke_tokens',
+                'audit.entity'      => 'User',
+                'audit.entity_id'   => (string) $this->user_id,
+                'audit.timestamp'   => now()->toISOString(),
+                'audit.description' => $action,
+                'audit.reason'      => $this->reason,
+                'audit.scope'       => $scope,
+                'auth.user.id'      => $this->user_id,
+                'client.ip'         => IPHelper::getUserIp(),
+                'elasticsearch.index' => config('opentelemetry.logs.elasticsearch_index', 'logs-audit'),
+            ]);
+        }
 
+        try {
             $service->revokeUsersToken($this->user_id, $this->client_id);
         } catch (\Exception $ex) {
-            Log::error($ex);
+            Log::warning(sprintf("RevokeUserGrants::handle attempt %d failed: %s",
+                $this->attempts(), $ex->getMessage()));
+            throw $ex;
         }
     }
 
diff --git a/app/Jobs/RevokeUserGrantsOnExplicitLogout.php b/app/Jobs/RevokeUserGrantsOnExplicitLogout.php
@@ -21,8 +21,10 @@
  */
 class RevokeUserGrantsOnExplicitLogout extends RevokeUserGrants
 {
+    const REASON = 'explicit logout';
+
     public function __construct(User $user, ?string $client_id = null)
     {
-        parent::__construct($user, $client_id, 'explicit logout');
+        parent::__construct($user, $client_id, self::REASON);
     }
 }
diff --git a/app/Jobs/RevokeUserGrantsOnPasswordChange.php b/app/Jobs/RevokeUserGrantsOnPasswordChange.php
@@ -21,8 +21,10 @@
  */
 class RevokeUserGrantsOnPasswordChange extends RevokeUserGrants
 {
+    const REASON = 'password change';
+
     public function __construct(User $user)
     {
-        parent::__construct($user, null, 'password change');
+        parent::__construct($user, null, self::REASON);
     }
 }
diff --git a/app/Jobs/RevokeUserGrantsOnSessionRevocation.php b/app/Jobs/RevokeUserGrantsOnSessionRevocation.php
@@ -21,8 +21,10 @@
  */
 class RevokeUserGrantsOnSessionRevocation extends RevokeUserGrants
 {
+    const REASON = 'user-initiated session revocation';
+
     public function __construct(User $user)
     {
-        parent::__construct($user, null, 'user-initiated session revocation');
+        parent::__construct($user, null, self::REASON);
     }
 }
diff --git a/app/Providers/EventServiceProvider.php b/app/Providers/EventServiceProvider.php
@@ -58,7 +58,7 @@ final class EventServiceProvider extends ServiceProvider
         'Illuminate\Database\Events\QueryExecuted' => [
         ],
         'Illuminate\Auth\Events\Logout' => [
-            'App\Listeners\OnUserLogout',
+            // 'App\Listeners\OnUserLogout',
         ],
         'Illuminate\Auth\Events\Login' => [
             'App\Listeners\OnUserLogin',
diff --git a/app/Services/OpenId/UserService.php b/app/Services/OpenId/UserService.php
@@ -15,6 +15,7 @@
 use App\Events\UserEmailUpdated;
 use App\Events\UserPasswordResetSuccessful;
 use App\Jobs\AddUserAction;
+use App\Jobs\RevokeUserGrantsOnSessionRevocation;
 use App\Jobs\PublishUserDeleted;
 use App\Jobs\PublishUserUpdated;
 use App\libs\Auth\Factories\UserFactory;
@@ -372,6 +373,7 @@ public function update(int $id, array $payload): IEntity
 
             if ($former_password != $user->getPassword()) {
                 Log::warning(sprintf("UserService::update use id %s - password changed", $id));
+                request()->session()->regenerate();
                 Event::dispatch(new UserPasswordResetSuccessful($user->getId()));
             }
 
@@ -473,6 +475,21 @@ public function updateProfilePhoto($user_id, UploadedFile $file, $max_file_size
         return $user;
     }
 
+    public function revokeAllGrantsOnSessionRevocation(int $user_id): void
+    {
+        $user = $this->tx_service->transaction(function () use ($user_id) {
+            $user = $this->repository->getById($user_id);
+            if (!$user instanceof User)
+                throw new EntityNotFoundException("User not found.");
+
+            $user->setRememberToken(\Illuminate\Support\Str::random(60));
+
+            return $user;
+        });
+
+        RevokeUserGrantsOnSessionRevocation::dispatch($user)->afterResponse();
+    }
+
     public function notifyMonitoredSecurityGroupActivity
     (
         string $action,
diff --git a/app/libs/OpenId/Services/IUserService.php b/app/libs/OpenId/Services/IUserService.php
@@ -105,4 +105,12 @@ public function notifyMonitoredSecurityGroupActivity(
         string $action_by,
     ): void;
 
+    /**
+     * Rotates the user's remember token (persisted) and schedules revocation
+     * of all OAuth2 grants for that user.
+     * @param int $user_id
+     * @throws EntityNotFoundException
+     */
+    public function revokeAllGrantsOnSessionRevocation(int $user_id): void;
+
 }
diff --git a/tests/PasswordChangeRevokeTokenTest.php b/tests/PasswordChangeRevokeTokenTest.php
@@ -1,6 +1,6 @@
 <?php namespace Tests;
 /**
- * Copyright 2024 OpenStack Foundation
+ * Copyright 2026 OpenStack Foundation
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at

Original file line number	Diff line number	Diff line change
`@@ -21,8 +21,10 @@`
`21`	`21`	`*/`
`22`	`22`	`class RevokeUserGrantsOnExplicitLogout extends RevokeUserGrants`
`23`	`23`	`{`
	`24`	`+ const REASON = 'explicit logout';`
	`25`	`+`
`24`	`26`	`public function __construct(User $user, ?string $client_id = null)`
`25`	`27`	`{`
`26`		`- parent::__construct($user, $client_id, 'explicit logout');`
	`28`	`+ parent::__construct($user, $client_id, self::REASON);`
`27`	`29`	`}`
`28`	`30`	`}`