Delete sessions after password change/reset

Author: benjie

@app/db/migrations/committed/000001.sql

@@ -1,5 +1,5 @@
 --! Previous: -
---! Hash: sha1:fbd6ffb5be53e7e0bfc63929a52cfc13e698c5f0
+--! Hash: sha1:eaf2866060caa0bba319236017c15a40d37a7815
 
 --! split: 0001-reset.sql
 /*
@@ -1064,7 +1064,9 @@ begin
     -- Not too many reset attempts, let's check the token
     if v_user_secret.reset_password_token = reset_token then
       -- Excellent - they're legit
+
       perform app_private.assert_valid_password(new_password);
+
       -- Let's reset the password as requested
       update app_private.user_secrets
       set
@@ -1076,13 +1078,20 @@ begin
         failed_reset_password_attempts = 0,
         first_failed_reset_password_attempt = null
       where user_secrets.user_id = v_user.id;
+
+      -- Revoke the users' sessions
+      delete from app_private.sessions
+      where sessions.user_id = v_user.id;
+
+      -- Notify user their password was reset
       perform graphile_worker.add_job(
         'user__audit',
         json_build_object(
           'type', 'reset_password',
           'user_id', v_user.id,
           'current_user_id', app_public.current_user_id()
         ));
+
       return true;
     else
       -- Wrong token, bump all the attempt tracking figures
@@ -1221,18 +1230,27 @@ begin
 
     if v_user_secret.password_hash = crypt(old_password, v_user_secret.password_hash) then
       perform app_private.assert_valid_password(new_password);
+
       -- Reset the password as requested
       update app_private.user_secrets
       set
         password_hash = crypt(new_password, gen_salt('bf'))
       where user_secrets.user_id = v_user.id;
+
+      -- Revoke all other sessions
+      delete from app_private.sessions
+      where sessions.user_id = v_user.id
+      and sessions.uuid <> app_public.current_session_id();
+
+      -- Notify user their password was changed
       perform graphile_worker.add_job(
         'user__audit',
         json_build_object(
           'type', 'change_password',
           'user_id', v_user.id,
           'current_user_id', app_public.current_user_id()
         ));
+
       return true;
     else
       raise exception 'Incorrect password' using errcode = 'CREDS';

data/schema.sql

@@ -2,8 +2,8 @@
 -- PostgreSQL database dump
 --
 
--- Dumped from database version 13.2 (Ubuntu 13.2-1.pgdg18.04+1)
--- Dumped by pg_dump version 13.2 (Ubuntu 13.2-1.pgdg18.04+1)
+-- Dumped from database version 13.4 (Ubuntu 13.4-0ubuntu0.21.04.1)
+-- Dumped by pg_dump version 13.4 (Ubuntu 13.4-0ubuntu0.21.04.1)
 
 SET statement_timeout = 0;
 SET lock_timeout = 0;
@@ -522,7 +522,9 @@ begin
     -- Not too many reset attempts, let's check the token
     if v_user_secret.reset_password_token = reset_token then
       -- Excellent - they're legit
+
       perform app_private.assert_valid_password(new_password);
+
       -- Let's reset the password as requested
       update app_private.user_secrets
       set
@@ -534,13 +536,20 @@ begin
         failed_reset_password_attempts = 0,
         first_failed_reset_password_attempt = null
       where user_secrets.user_id = v_user.id;
+
+      -- Revoke the users' sessions
+      delete from app_private.sessions
+      where sessions.user_id = v_user.id;
+
+      -- Notify user their password was reset
       perform graphile_worker.add_job(
         'user__audit',
         json_build_object(
           'type', 'reset_password',
           'user_id', v_user.id,
           'current_user_id', app_public.current_user_id()
         ));
+
       return true;
     else
       -- Wrong token, bump all the attempt tracking figures
@@ -770,18 +779,27 @@ begin
 
     if v_user_secret.password_hash = crypt(old_password, v_user_secret.password_hash) then
       perform app_private.assert_valid_password(new_password);
+
       -- Reset the password as requested
       update app_private.user_secrets
       set
         password_hash = crypt(new_password, gen_salt('bf'))
       where user_secrets.user_id = v_user.id;
+
+      -- Revoke all other sessions
+      delete from app_private.sessions
+      where sessions.user_id = v_user.id
+      and sessions.uuid <> app_public.current_session_id();
+
+      -- Notify user their password was changed
       perform graphile_worker.add_job(
         'user__audit',
         json_build_object(
           'type', 'change_password',
           'user_id', v_user.id,
           'current_user_id', app_public.current_user_id()
         ));
+
       return true;
     else
       raise exception 'Incorrect password' using errcode = 'CREDS';