Revoke other sessions when password is changed

2025-01-23 22:40:20 +08:00 · 2024-05-14 19:40:57 -04:00 · 2024-05-14 19:40:57 -04:00 · 0b093dd57e
commit 0b093dd57e
parent 923d5878c3
2 changed files with 13 additions and 2 deletions
--- a/packages/backend/src/routers/user-protected/change-password.js
+++ b/packages/backend/src/routers/user-protected/change-password.js
@ -80,6 +80,14 @@ module.exports = {
        const svc_email = req.services.get('email');
        svc_email.send_email({ email: req.user.email }, 'password_change_notification');

+        // Kick out all other sessions
+        const svc_auth = req.services.get('auth');
+        const sessions = await svc_auth.list_sessions(req.actor);
+        for ( const session of sessions ) {
+            if ( session.current ) continue;
+            await svc_auth.revoke_session(req.actor, session.uuid);
+        }
+
        return res.send('Password successfully updated.')
    }
 };
--- a/packages/backend/src/services/auth/AuthService.js
+++ b/packages/backend/src/services/auth/AuthService.js
@ -365,11 +365,14 @@ class AuthService extends BaseService {
                mysql: () => session.meta,
                otherwise: () => JSON.parse(session.meta ?? "{}")
            })();
+            sessions.push(session);
+        };
+
+        for ( const session of sessions ) {
            if ( session.uuid === actor.type.session ) {
                session.current = true;
            }
-            sessions.push(session);
-        };
+        }

        return sessions;
    }