feat: logout sessions on password change (#23188)

* log out ohter sessions on password change * translations * update and add tests * rename event to UserLogoutOtherSessions * fix typo * requested changes * fix tests * fix medium:test * use ValidateBoolean * fix format * dont delete current session id * Update server/src/dtos/auth.dto.ts Co-authored-by: Daniel Dietzler <36593685+danieldietzler@users.noreply.github.com> * rename event and invalidateOtherSessions * chore: cleanup --------- Co-authored-by: Daniel Dietzler <36593685+danieldietzler@users.noreply.github.com> Co-authored-by: Jason Rasmussen <jason@rasm.me>
2026-03-01 01:59:06 +03:00 · 2025-10-27 14:16:10 +01:00
parent 6bb1a9e083
commit 382481735a
15 changed files with 90 additions and 19 deletions
--- a/server/src/repositories/event.repository.ts
+++ b/server/src/repositories/event.repository.ts
@@ -88,6 +88,8 @@ type EventMap = {
  UserDelete: [UserEvent];
  UserRestore: [UserEvent];

+  AuthChangePassword: [{ userId: string; currentSessionId?: string; invalidateSessions?: boolean }];
+
  // websocket events
  WebsocketConnect: [{ userId: string }];
 };
--- a/server/src/repositories/session.repository.ts
+++ b/server/src/repositories/session.repository.ts
@@ -101,6 +101,15 @@ export class SessionRepository {
    await this.db.deleteFrom('session').where('id', '=', asUuid(id)).execute();
  }

+  @GenerateSql({ params: [{ userId: DummyValue.UUID, excludeId: DummyValue.UUID }] })
+  async invalidate({ userId, excludeId }: { userId: string; excludeId?: string }) {
+    await this.db
+      .deleteFrom('session')
+      .where('userId', '=', userId)
+      .$if(!!excludeId, (qb) => qb.where('id', '!=', excludeId!))
+      .execute();
+  }
+
  @GenerateSql({ params: [DummyValue.UUID] })
  async lockAll(userId: string) {
    await this.db.updateTable('session').set({ pinExpiresAt: null }).where('userId', '=', userId).execute();