AC-9803: Force sign-in session invalidated

mrprabhu92 · mrprabhu92 · commit 016222270651 · 2025-02-27T18:12:52.000+05:30
diff --git a/app/code/Magento/User/Block/User/Edit.php b/app/code/Magento/User/Block/User/Edit.php
@@ -1,8 +1,20 @@
 <?php
-/**
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+/************************************************************************
+ *
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ *
+ * NOTICE: All information contained herein is, and remains
+ * the property of Adobe and its suppliers, if any. The intellectual
+ * and technical concepts contained herein are proprietary to Adobe
+ * and its suppliers and are protected by all applicable intellectual
+ * property laws, including trade secret and copyright laws.
+ * Dissemination of this information or reproduction of this material
+ * is strictly forbidden unless prior written permission is obtained
+ * from Adobe.
+ * ************************************************************************
  */
+declare(strict_types=1);
 
 namespace Magento\User\Block\User;
 
@@ -70,7 +82,7 @@ protected function _construct()
                     'label' => __('Force Sign-In'),
                     'class' => 'invalidate-token',
                     'onclick' => "deleteConfirm('" . $this->escapeJs($this->escapeHtml($deleteConfirmMsg)) .
-                        "', '" . $this->getInvalidateUrl() . "')",
+                        "', '" . $this->getInvalidateUrl() . "', {data:{{$this->_objectId}:{$objId}}})",
                 ]
             );
         }
@@ -149,6 +161,6 @@ public function getValidationUrl()
      */
     public function getInvalidateUrl()
     {
-        return $this->getUrl('adminhtml/*/invalidatetoken', ['_current' => true]);
+        return $this->getUrl('adminhtml/*/invalidatetoken');
     }
 }
diff --git a/app/code/Magento/User/Controller/Adminhtml/Auth/ResetPasswordPost.php b/app/code/Magento/User/Controller/Adminhtml/Auth/ResetPasswordPost.php
@@ -1,37 +1,61 @@
 <?php
-/**
+/************************************************************************
  *
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ *
+ * NOTICE: All information contained herein is, and remains
+ * the property of Adobe and its suppliers, if any. The intellectual
+ * and technical concepts contained herein are proprietary to Adobe
+ * and its suppliers and are protected by all applicable intellectual
+ * property laws, including trade secret and copyright laws.
+ * Dissemination of this information or reproduction of this material
+ * is strictly forbidden unless prior written permission is obtained
+ * from Adobe.
+ * ************************************************************************
  */
+declare(strict_types=1);
+
 namespace Magento\User\Controller\Adminhtml\Auth;
 
+use Magento\Framework\App\Action\HttpGetActionInterface;
+use Magento\Framework\App\Action\HttpPostActionInterface;
 use Magento\User\Controller\Adminhtml\Auth;
 use Magento\Backend\App\Action\Context;
 use Magento\Framework\App\ObjectManager;
 use Magento\Backend\Helper\Data;
 use Magento\User\Model\UserFactory;
+use Magento\User\Helper\ForceSignIn;
 
-class ResetPasswordPost extends Auth
+class ResetPasswordPost extends Auth implements HttpGetActionInterface, HttpPostActionInterface
 {
     /**
      * @var Data
      */
     private $backendDataHelper;
 
+    /**
+     * @var ForceSignIn
+     */
+    private ForceSignIn $forceSignIn;
+
     /**
      * @param Context $context
      * @param UserFactory $userFactory
-     * @param Data $backendDataHelper
+     * @param Data|null $backendDataHelper
+     * @param ForceSignIn|null $forceSignIn
      */
     public function __construct(
         Context $context,
         UserFactory $userFactory,
-        Data $backendDataHelper = null
+        Data $backendDataHelper = null,
+        ForceSignIn $forceSignIn = null
     ) {
         parent::__construct($context, $userFactory);
         $this->backendDataHelper = $backendDataHelper ?: ObjectManager::getInstance()->get(Data::class);
+        $this->forceSignIn = $forceSignIn ?: ObjectManager::getInstance()->get(ForceSignIn::class);
     }
+
     /**
      * Reset forgotten password
      *
@@ -75,6 +99,7 @@ public function execute()
                 }
             } else {
                 $user->save();
+                $this->forceSignIn->updateAdminSessionStatus($userId);
                 $this->messageManager->addSuccess(__('You updated your password.'));
                 $this->getResponse()->setRedirect(
                     $this->backendDataHelper->getHomePageUrl()
diff --git a/app/code/Magento/User/Controller/Adminhtml/User/InvalidateToken.php b/app/code/Magento/User/Controller/Adminhtml/User/InvalidateToken.php
@@ -1,50 +1,80 @@
 <?php
-/**
+/************************************************************************
+ *
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
  *
- * Copyright © Magento, Inc. All rights reserved.
- * See COPYING.txt for license details.
+ * NOTICE: All information contained herein is, and remains
+ * the property of Adobe and its suppliers, if any. The intellectual
+ * and technical concepts contained herein are proprietary to Adobe
+ * and its suppliers and are protected by all applicable intellectual
+ * property laws, including trade secret and copyright laws.
+ * Dissemination of this information or reproduction of this material
+ * is strictly forbidden unless prior written permission is obtained
+ * from Adobe.
+ * ************************************************************************
  */
+declare(strict_types=1);
 
 namespace Magento\User\Controller\Adminhtml\User;
 
+use Magento\Backend\App\Action\Context;
+use Magento\Framework\App\Action\HttpGetActionInterface;
+use Magento\Framework\App\Action\HttpPostActionInterface;
+use Magento\Framework\App\ObjectManager;
+use Magento\Framework\Registry;
 use Magento\Integration\Api\AdminTokenServiceInterface;
+use Magento\User\Controller\Adminhtml\User;
+use Magento\User\Model\UserFactory;
+use Magento\User\Helper\ForceSignIn;
 
 /**
  * Class InvalidateToken - used to invalidate/revoke all authentication tokens for a specific user.
  */
-class InvalidateToken extends \Magento\User\Controller\Adminhtml\User
+class InvalidateToken extends User implements HttpGetActionInterface, HttpPostActionInterface
 {
     /**
      * @var AdminTokenServiceInterface
      */
     protected $tokenService;
 
+    /**
+     * @var ForceSignIn
+     */
+    private ForceSignIn $forceSignIn;
+
     /**
      * Inject dependencies.
      *
-     * @param \Magento\Backend\App\Action\Context $context
-     * @param \Magento\Framework\Registry $coreRegistry
-     * @param \Magento\User\Model\UserFactory $userFactory
+     * @param Context $context
+     * @param Registry $coreRegistry
+     * @param UserFactory $userFactory
      * @param AdminTokenServiceInterface $tokenService
+     * @param ForceSignIn|null $forceSignIn
      */
     public function __construct(
-        \Magento\Backend\App\Action\Context $context,
-        \Magento\Framework\Registry $coreRegistry,
-        \Magento\User\Model\UserFactory $userFactory,
-        AdminTokenServiceInterface $tokenService
+        Context $context,
+        Registry $coreRegistry,
+        UserFactory $userFactory,
+        AdminTokenServiceInterface $tokenService,
+        ForceSignIn $forceSignIn = null
     ) {
         parent::__construct($context, $coreRegistry, $userFactory);
         $this->tokenService = $tokenService;
+        $this->forceSignIn = $forceSignIn ?: ObjectManager::getInstance()->get(ForceSignIn::class);
     }
 
     /**
+     * Revoke admin token
+     *
      * @return void
      */
     public function execute()
     {
         if ($userId = $this->getRequest()->getParam('user_id')) {
             try {
                 $this->tokenService->revokeAdminAccessToken($userId);
+                $this->forceSignIn->updateAdminSessionStatus($userId);
                 $this->messageManager->addSuccess(__('You have revoked the user\'s tokens.'));
                 $this->_redirect('adminhtml/*/edit', ['user_id' => $userId]);
                 return;
diff --git a/app/code/Magento/User/Helper/ForceSignIn.php b/app/code/Magento/User/Helper/ForceSignIn.php
@@ -0,0 +1,61 @@
+<?php
+/************************************************************************
+ *
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ *
+ * NOTICE: All information contained herein is, and remains
+ * the property of Adobe and its suppliers, if any. The intellectual
+ * and technical concepts contained herein are proprietary to Adobe
+ * and its suppliers and are protected by all applicable intellectual
+ * property laws, including trade secret and copyright laws.
+ * Dissemination of this information or reproduction of this material
+ * is strictly forbidden unless prior written permission is obtained
+ * from Adobe.
+ * ************************************************************************
+ */
+declare(strict_types=1);
+
+namespace Magento\User\Helper;
+
+use Magento\Framework\App\Helper\AbstractHelper;
+use Magento\Framework\App\Helper\Context;
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Security\Model\ResourceModel\AdminSessionInfo;
+use Magento\Security\Model\AdminSessionInfo as AdminSessionInfoModel;
+
+/**
+ * Update admin user session status to logged out
+ */
+class ForceSignIn extends AbstractHelper
+{
+    /**
+     * @param Context $context
+     * @param AdminSessionInfo $adminSessionInfo
+     */
+    public function __construct(
+        Context $context,
+        private readonly AdminSessionInfo $adminSessionInfo
+    ) {
+        parent::__construct($context);
+    }
+
+    /**
+     * Update admin_user_session status to logged out
+     *
+     * @param int $userId
+     * @throws LocalizedException
+     */
+    public function updateAdminSessionStatus($userId): void
+    {
+        try {
+            $this->adminSessionInfo->updateStatusByUserId(
+                AdminSessionInfoModel::LOGGED_OUT,
+                $userId,
+                [AdminSessionInfoModel::LOGGED_IN]
+            );
+        } catch (\Exception $e) {
+            throw new LocalizedException(__($e->getMessage()));
+        }
+    }
+}
diff --git a/app/code/Magento/User/Test/Unit/Helper/ForceSignInTest.php b/app/code/Magento/User/Test/Unit/Helper/ForceSignInTest.php
@@ -0,0 +1,89 @@
+<?php
+/************************************************************************
+ *
+ * Copyright 2025 Adobe
+ * All Rights Reserved.
+ *
+ * NOTICE: All information contained herein is, and remains
+ * the property of Adobe and its suppliers, if any. The intellectual
+ * and technical concepts contained herein are proprietary to Adobe
+ * and its suppliers and are protected by all applicable intellectual
+ * property laws, including trade secret and copyright laws.
+ * Dissemination of this information or reproduction of this material
+ * is strictly forbidden unless prior written permission is obtained
+ * from Adobe.
+ * ************************************************************************
+ */
+declare(strict_types=1);
+
+namespace Magento\User\Test\Unit\Helper;
+
+use Magento\Framework\Exception\LocalizedException;
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
+use Magento\Security\Model\ResourceModel\AdminSessionInfo;
+use PHPUnit\Framework\TestCase;
+use Magento\User\Helper\ForceSignIn;
+
+/**
+ * Revoke user token
+ */
+class ForceSignInTest extends TestCase
+{
+    /**
+     * @var ForceSignIn
+     */
+    private $forceSignIn;
+
+    /**
+     * @var AdminSessionInfo
+     */
+    private $adminSessionInfo;
+
+    /**
+     * @return void
+     */
+    public function setUp(): void
+    {
+        $this->adminSessionInfo = $this->getMockBuilder(AdminSessionInfo::class)
+         ->disableOriginalConstructor()
+         ->getMock();
+
+        $objectManager = new ObjectManager($this);
+        $this->forceSignIn = $objectManager->getObject(
+            ForceSignIn::class,
+            [
+                'adminSessionInfo' => $this->adminSessionInfo
+            ]
+        );
+    }
+
+    /**
+     * Update admin session status
+     *
+     * @return void
+     * @throws LocalizedException
+     */
+    public function testUpdateAdminSessionStatus()
+    {
+        $this->adminSessionInfo->expects($this->any())
+            ->method('updateStatusByUserId')
+            ->with(0, 1, [1], [], null)
+            ->willReturnSelf();
+        $this->forceSignIn->updateAdminSessionStatus(1);
+    }
+
+    /**
+     * Throw exception for admin session
+     *
+     * @throws LocalizedException
+     */
+    public function testExceptionUpdateAdminSessionStatus()
+    {
+        $this->expectException(LocalizedException::class);
+        $this->adminSessionInfo->expects($this->any())
+            ->method('updateStatusByUserId')
+            ->with(0, 1, [1], [], null)
+            ->willReturnSelf();
+        $this->forceSignIn->updateAdminSessionStatus(0);
+    }
+}
