Revoke refresh token on password change (#708)

armanddidierjean · web-flow · commit ef8159224424 · 2025-05-18T09:38:50.000+02:00
### Description

Currently, is someone account is compromised, the user can not log out
all active sessions.

Due to the use of a JWT we can not revoke active access token, but as
they have a limited duration they will automatically expire after some
time.

We should revoke refresh token to ensure that clients won't be able to
get a new access token.

As a consequence the user changing its password in settings will be
logged out of the app, but not immediately, only after the expiration of
its refresh token
diff --git a/app/core/auth/cruds_auth.py b/app/core/auth/cruds_auth.py
@@ -102,7 +102,7 @@ async def revoke_refresh_token_by_client_and_user_id(
     db: AsyncSession,
     client_id: str,
     user_id: str,
-) -> models_auth.RefreshToken | None:
+) -> None:
     """Revoke a refresh token from database"""
 
     await db.execute(
@@ -115,4 +115,20 @@ async def revoke_refresh_token_by_client_and_user_id(
         .values(revoked_on=datetime.now(UTC)),
     )
     await db.commit()
-    return None
+
+
+async def revoke_refresh_token_by_user_id(
+    db: AsyncSession,
+    user_id: str,
+) -> None:
+    """Revoke a refresh token from database"""
+
+    await db.execute(
+        update(models_auth.RefreshToken)
+        .where(
+            models_auth.RefreshToken.user_id == user_id,
+            models_auth.RefreshToken.revoked_on.is_(None),
+        )
+        .values(revoked_on=datetime.now(UTC)),
+    )
+    await db.commit()
diff --git a/app/core/users/endpoints_users.py b/app/core/users/endpoints_users.py
@@ -20,6 +20,7 @@
 from sqlalchemy.exc import IntegrityError
 from sqlalchemy.ext.asyncio import AsyncSession
 
+from app.core.auth import cruds_auth
 from app.core.groups import cruds_groups, models_groups
 from app.core.groups.groups_type import AccountType, GroupType
 from app.core.schools.schools_type import SchoolType
@@ -576,6 +577,14 @@ async def reset_password(
         email=recover_request.email,
     )
 
+    # Revoke existing auth refresh tokens
+    # to force the user to reauthenticate on all services and devices
+    # when their token expire
+    await cruds_auth.revoke_refresh_token_by_user_id(
+        db=db,
+        user_id=recover_request.user_id,
+    )
+
     return standard_responses.Result()
 
 
@@ -753,6 +762,14 @@ async def change_password(
         new_password_hash=new_password_hash,
     )
 
+    # Revoke existing auth refresh tokens
+    # to force the user to reauthenticate on all services and devices
+    # when their token expire
+    await cruds_auth.revoke_refresh_token_by_user_id(
+        db=db,
+        user_id=user.id,
+    )
+
     return standard_responses.Result()
 
 
