From 0c067fbb7cbc89dbec7c756e39e1f679da6052f5 Mon Sep 17 00:00:00 2001
From: ZeroPath <noreply@zeropath.com>
Date: Thu, 14 Aug 2025 04:41:10 +0000
Subject: [PATCH] feat: implement session revocation and notification on
 password reset

---
 lib/insecurity.ts       | 13 +++++++++++++
 routes/resetPassword.ts |  2 ++
 2 files changed, 15 insertions(+)

diff --git a/lib/insecurity.ts b/lib/insecurity.ts
index 0e4e3d99389..64abae6a22e 100644
--- a/lib/insecurity.ts
+++ b/lib/insecurity.ts
@@ -199,3 +199,16 @@ export const updateAuthenticatedUsers = () => (req: Request, res: Response, next
   }
   next()
 }
+
+export const clearSessionsFor = (user: UserModel) => {
+  const token = authenticatedUsers.tokenOf(user)
+  if (token) {
+    delete authenticatedUsers.tokenMap[token]
+    delete authenticatedUsers.idMap[user.id]
+  }
+}
+
+export const sendPasswordResetNotification = (email: string) => {
+  // Placeholder: replace with real email dispatch
+  console.info(`Password reset notification sent to ${email}`)
+}
diff --git a/routes/resetPassword.ts b/routes/resetPassword.ts
index 235be1b45ee..48544d4acc7 100644
--- a/routes/resetPassword.ts
+++ b/routes/resetPassword.ts
@@ -36,6 +36,8 @@ module.exports = function resetPassword () {
         if ((data != null) && security.hmac(answer) === data.answer) {
           UserModel.findByPk(data.UserId).then((user: UserModel | null) => {
             user?.update({ password: newPassword }).then((user: UserModel) => {
+              security.clearSessionsFor(user)
+              security.sendPasswordResetNotification(user.email)
               verifySecurityAnswerChallenges(user, answer)
               res.json({ user })
             }).catch((error: unknown) => {