Retrieve only user external logins when invalidate following removal of backoffice external user login (#19766)

AndyButland · kjac · commit 8cc6508b225e · 2025-07-22T10:06:41.000+02:00
* Retrieve only user external logins when invalidate following removal of backoffice external user login.

* Improved variable name.
diff --git a/src/Umbraco.Infrastructure/Persistence/Repositories/Implement/UserRepository.cs b/src/Umbraco.Infrastructure/Persistence/Repositories/Implement/UserRepository.cs
@@ -1264,26 +1264,27 @@ private Sql<ISqlContext> ApplySort(Sql<ISqlContext> sql, Expression<Func<IUser,
     /// <inheritdoc />
     public void InvalidateSessionsForRemovedProviders(IEnumerable<string> currentLoginProviders)
     {
-        // Get all the user or member keys associated with the removed providers.
+        // Get all the user keys associated with the removed providers.
         Sql<ISqlContext> idsQuery = SqlContext.Sql()
             .Select<ExternalLoginDto>(x => x.UserOrMemberKey)
             .From<ExternalLoginDto>()
+            .Where<ExternalLoginDto>(x => !x.LoginProvider.StartsWith(Constants.Security.MemberExternalAuthenticationTypePrefix)) // Only invalidate sessions relating to backoffice users, not members.
             .WhereNotIn<ExternalLoginDto>(x => x.LoginProvider, currentLoginProviders);
-        List<Guid> userAndMemberKeysAssociatedWithRemovedProviders = Database.Fetch<Guid>(idsQuery);
-        if (userAndMemberKeysAssociatedWithRemovedProviders.Count == 0)
+        List<Guid> userKeysAssociatedWithRemovedProviders = Database.Fetch<Guid>(idsQuery);
+        if (userKeysAssociatedWithRemovedProviders.Count == 0)
         {
             return;
         }
 
         // Invalidate the security stamps on the users associated with the removed providers.
         Sql<ISqlContext> updateSecurityStampsQuery = Sql()
             .Update<UserDto>(u => u.Set(x => x.SecurityStampToken, "0".PadLeft(32, '0')))
-            .WhereIn<UserDto>(x => x.Key, userAndMemberKeysAssociatedWithRemovedProviders);
+            .WhereIn<UserDto>(x => x.Key, userKeysAssociatedWithRemovedProviders);
         Database.Execute(updateSecurityStampsQuery);
 
         // Delete the OpenIddict tokens for the users associated with the removed providers.
         // The following is safe from SQL injection as we are dealing with GUIDs, not strings.
-        var userKeysForInClause = string.Join("','", userAndMemberKeysAssociatedWithRemovedProviders.Select(x => x.ToString()));
+        var userKeysForInClause = string.Join("','", userKeysAssociatedWithRemovedProviders.Select(x => x.ToString()));
         Database.Execute("DELETE FROM umbracoOpenIddictTokens WHERE Subject IN ('" + userKeysForInClause + "')");
     }
 
