Sync is success even after password is changed

[SagarGi]

Description

Even if i change the password from the server given that the use is already logged in in desktop client, syncing activity can still be performed without re authenticating the desktop client.

Steps to Reproduce

• Log in to desktop client as u1
• Change the password of the u1 from the server
• Add/Delete some files/folders for u1 via server

Expected Behaviour

The client should ask for re authentication before syncing

Actual Behaviour

The files/folders syncs successfully without reauthentication

[michaelstingl]

What login? Basic Auth or OAuth 2.0 ?

[fmoc]

This is not an issue of the desktop client. The client just continues to use the existing session because the server permits it. The server is in control of the session, not the client.

In case you change the password, the server should invalidate existing sessions and thus revoke existing clients' access. It doesn't do in this case, though. The client cannot know that the passphrase has changed. It's the server's job to revoke access and force the client to reauthenticate. If it doesn't do so, there is nothing we can do, as this is clearly out of the client's scope.

You may want to open an issue with the server.

[TheOneRing]

The oauth token is independent of the users password.
The server could decide to invalidate the token on a password change.
In general the issue is unrelated to the desktop client.