Delete mismatched auth users, fixes #613

app/soapbox/reducers/__tests__/auth-test.js

@@ -154,6 +154,28 @@ describe('auth reducer', () => {
       const result = reducer(state, action);
       expect(result.get('me')).toEqual('5678');
     });
+
+    it('deletes mismatched users', () => {
+      const action = {
+        type: VERIFY_CREDENTIALS_SUCCESS,
+        token: 'ABCDEFG',
+        account: { id: '1234' },
+      };
+
+      const state = fromJS({
+        users: { '4567': { id: '4567', access_token: 'ABCDEFG' } },
+        users: { '8901': { id: '1234', access_token: 'ABCDEFG' } },
+        users: { '5432': { id: '5432', access_token: 'HIJKLMN' } },
+      });
+
+      const expected = fromJS({
+        '1234': { id: '1234', access_token: 'ABCDEFG' },
+        '5432': { id: '5432', access_token: 'HIJKLMN' },
+      });
+
+      const result = reducer(state, action);
+      expect(result.get('users')).toEqual(expected);
+    });
   });
 
   describe('VERIFY_CREDENTIALS_FAIL', () => {

app/soapbox/reducers/auth.js

@@ -103,6 +103,16 @@ const upgradeLegacyId = (state, account) => {
   // By this point it's probably safe, but we'll leave it just in case.
 };
 
+// Returns a predicate function for filtering a mismatched user/token
+const userMismatch = (token, account) => {
+  return (user, id) => {
+    const sameToken = user.get('access_token') === token;
+    const differentId = id !== account.id || user.get('id') !== account.id;
+
+    return sameToken && differentId;
+  };
+};
+
 const importCredentials = (state, token, account) => {
   return state.withMutations(state => {
     state.setIn(['users', account.id], ImmutableMap({
@@ -110,6 +120,7 @@ const importCredentials = (state, token, account) => {
       access_token: token,
     }));
     state.setIn(['tokens', token, 'account'], account.id);
+    state.update('users', ImmutableMap(), users => users.filterNot(userMismatch(token, account)));
     state.update('me', null, me => me || account.id);
     upgradeLegacyId(state, account);
   });