invalidate all user sessions after a password reset

Signed-off-by: sebadob <sebastiandobe@mailbox.org>
sebadob · Nov 24, 2023 · 570dea6 · 570dea6
1 parent 20d69ca
commit 570dea6
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/rauthy-service/src/password_reset.rs b/rauthy-service/src/password_reset.rs
@@ -7,6 +7,7 @@ use rauthy_models::app_state::AppState;
 use rauthy_models::entity::colors::ColorEntity;
 use rauthy_models::entity::magic_links::{MagicLink, MagicLinkUsage};
 use rauthy_models::entity::password::PasswordPolicy;
+use rauthy_models::entity::sessions::Session;
 use rauthy_models::entity::users::User;
 use rauthy_models::entity::webauthn;
 use rauthy_models::entity::webauthn::WebauthnServiceReq;
@@ -218,6 +219,9 @@ pub async fn handle_put_user_password_reset<'a>(
         .await
         .unwrap();
 
+    // delete all existing user sessions to have a clean flow
+    Session::invalidate_for_user(data, &user.id).await?;
+
     // delete the cookie
     let cookie = cookie::Cookie::build(PWD_RESET_COOKIE, "")
         .secure(true)