[@accounts/password] Add invalidateAllSessionsAfterPasswordReset and invalidateAllSessionsAfterPasswordChanged options (#773)

* invalidateAllSessionsAfterPasswordReset and invalidateAllSessionsAfterPasswordChanged options

* upd test: changePassword -> changePassword and invalidate all sessions

* added a test: call invalidateAllSessions

* accounts-password: upd tests and snaps

Author: nyablo

packages/password/__tests__/__snapshots__/accounts-password.ts.snap

@@ -20,7 +20,13 @@ exports[`AccountsPassword authenticate throws when hash not found 1`] = `"User h
 
 exports[`AccountsPassword authenticate throws when user not found 1`] = `"User not found"`;
 
-exports[`AccountsPassword changePassword throws when new password is invalid 1`] = `"Invalid password"`;
+exports[`AccountsPassword changePassword and invalidate all sessions call invalidateAllSessions 1`] = `
+Array [
+  undefined,
+]
+`;
+
+exports[`AccountsPassword changePassword and invalidate all sessions throws when new password is invalid 1`] = `"Invalid password"`;
 
 exports[`AccountsPassword createUser throws on required fields 1`] = `"Username or Email is required"`;
 

packages/password/__tests__/accounts-password.ts

@@ -402,20 +402,53 @@ describe('AccountsPassword', () => {
     });
   });
 
-  describe('changePassword', () => {
+  describe('changePassword and invalidate all sessions', () => {
+    const tmpAccountsPassword = new AccountsPassword({
+      invalidateAllSessionsAfterPasswordChanged: true,
+    });
     const validUser = {
       emails: [{ address: '[email protected]', verified: true }],
     };
 
     it('throws when new password is invalid', async () => {
       try {
-        await password.changePassword('userId', 'old-password', null as any);
+        await tmpAccountsPassword.changePassword('userId', 'old-password', null as any);
         throw new Error();
       } catch (err) {
         expect(err.message).toMatchSnapshot();
       }
     });
 
+    it('call invalidateAllSessions', async () => {
+      const userId = 'id';
+      const setPassword = jest.fn(() => Promise.resolve('user'));
+      const findUserById = jest.fn(() => Promise.resolve(validUser));
+      const invalidateAllSessions = jest.fn(() => Promise.resolve());
+      const findPasswordHash = jest.fn(() => Promise.resolve());
+      tmpAccountsPassword.setStore({
+        setPassword,
+        findUserById,
+        findPasswordHash,
+        invalidateAllSessions,
+      } as any);
+      const prepareMail = jest.fn(() => Promise.resolve());
+      const sanitizeUser = jest.fn(() => Promise.resolve());
+      const sendMail = jest.fn(() => Promise.resolve());
+      tmpAccountsPassword.server = {
+        ...server,
+        prepareMail,
+        options: { sendMail },
+        sanitizeUser,
+      } as any;
+      set(tmpAccountsPassword.server, 'options.emailTemplates', {});
+      jest
+        .spyOn(tmpAccountsPassword, 'passwordAuthenticator' as any)
+        .mockImplementation(() => Promise.resolve(validUser));
+      await tmpAccountsPassword.changePassword(userId, 'old-password', 'new-password');
+      expect(invalidateAllSessions.mock.calls[0]).toMatchSnapshot();
+      (tmpAccountsPassword as any).passwordAuthenticator.mockRestore();
+    });
+
     it('call passwordAuthenticator and this.db.setPassword', async () => {
       const userId = 'id';
       const setPassword = jest.fn(() => Promise.resolve('user'));

packages/password/src/accounts-password.ts

@@ -58,6 +58,16 @@ export interface AccountsPasswordOptions {
    * Default to false.
    */
   returnTokensAfterResetPassword?: boolean;
+  /**
+   * Invalidate existing sessions after password has been reset
+   * Default to true.
+   */
+  invalidateAllSessionsAfterPasswordReset?: boolean;
+  /**
+   * Invalidate existing sessions after password has been changed
+   * Default to false.
+   */
+  invalidateAllSessionsAfterPasswordChanged?: boolean;
   /**
    * Function that will validate the user object during `createUser`.
    * The user returned from this function will be directly inserted in the database so be careful when you whitelist the fields,
@@ -92,6 +102,8 @@ const defaultOptions = {
   passwordEnrollTokenExpiration: 2592000000,
   notifyUserAfterPasswordChanged: true,
   returnTokensAfterResetPassword: false,
+  invalidateAllSessionsAfterPasswordReset: true,
+  invalidateAllSessionsAfterPasswordChanged: false,
   validateEmail(email?: string): boolean {
     return !isEmpty(trim(email)) && isEmail(email);
   },
@@ -271,7 +283,9 @@ export default class AccountsPassword implements AuthenticationService {
     }
 
     // Changing the password should invalidate existing sessions
-    await this.db.invalidateAllSessions(user.id);
+    if (this.options.invalidateAllSessionsAfterPasswordReset) {
+      await this.db.invalidateAllSessions(user.id);
+    }
 
     if (this.options.notifyUserAfterPasswordChanged) {
       const address = user.emails && user.emails[0].address;
@@ -331,6 +345,10 @@ export default class AccountsPassword implements AuthenticationService {
 
     this.server.getHooks().emit(ServerHooks.ChangePasswordSuccess, user);
 
+    if (this.options.invalidateAllSessionsAfterPasswordChanged) {
+      await this.db.invalidateAllSessions(user.id);
+    }
+
     if (this.options.notifyUserAfterPasswordChanged) {
       const address = user.emails && user.emails[0].address;
       if (!address) {