Revoke other sessions when password is changed

Author: KernelDeimos

packages/backend/src/routers/user-protected/change-password.js

@@ -80,6 +80,14 @@ module.exports = {
         const svc_email = req.services.get('email');
         svc_email.send_email({ email: req.user.email }, 'password_change_notification');
 
+        // Kick out all other sessions
+        const svc_auth = req.services.get('auth');
+        const sessions = await svc_auth.list_sessions(req.actor);
+        for ( const session of sessions ) {
+            if ( session.current ) continue;
+            await svc_auth.revoke_session(req.actor, session.uuid);
+        }
+
         return res.send('Password successfully updated.')
     }
 };

packages/backend/src/services/auth/AuthService.js

@@ -365,11 +365,14 @@ class AuthService extends BaseService {
                 mysql: () => session.meta,
                 otherwise: () => JSON.parse(session.meta ?? "{}")
             })();
+            sessions.push(session);
+        };
+
+        for ( const session of sessions ) {
             if ( session.uuid === actor.type.session ) {
                 session.current = true;
             }
-            sessions.push(session);
-        };
+        }
 
         return sessions;
     }