From d1ffe242692570e4f04d147178710c319a2bfd8c Mon Sep 17 00:00:00 2001 From: Adria Navarro Date: Fri, 29 Dec 2023 16:54:47 +0100 Subject: [PATCH] Invalidate session on password update --- packages/worker/src/sdk/auth/auth.ts | 1 + .../worker/src/sdk/auth/tests/auth.spec.ts | 21 +++++++++++++++++-- 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/packages/worker/src/sdk/auth/auth.ts b/packages/worker/src/sdk/auth/auth.ts index bdc5fc2366..3f24de440a 100644 --- a/packages/worker/src/sdk/auth/auth.ts +++ b/packages/worker/src/sdk/auth/auth.ts @@ -80,6 +80,7 @@ export const resetUpdate = async (resetCode: string, password: string) => { user = await userSdk.db.save(user) await cache.passwordReset.invalidateCode(resetCode) + await sessions.invalidateSessions(userId) // remove password from the user before sending events delete user.password diff --git a/packages/worker/src/sdk/auth/tests/auth.spec.ts b/packages/worker/src/sdk/auth/tests/auth.spec.ts index 0d05a3fbb3..e9f348f7c7 100644 --- a/packages/worker/src/sdk/auth/tests/auth.spec.ts +++ b/packages/worker/src/sdk/auth/tests/auth.spec.ts @@ -1,5 +1,5 @@ -import { cache, context, utils } from "@budibase/backend-core" -import { resetUpdate } from "../auth" +import { cache, context, sessions, utils } from "@budibase/backend-core" +import { loginUser, resetUpdate } from "../auth" import { generator, structures } from "@budibase/backend-core/tests" import { TestConfiguration } from "../../../tests" @@ -49,5 +49,22 @@ describe("auth", () => { ) }) }) + + it("updating the password will invalidate all the sessions", async () => { + await context.doInTenant(structures.tenant.id(), async () => { + const user = await config.createUser() + + await loginUser(user) + + expect(await sessions.getSessionsForUser(user._id!)).toHaveLength(1) + + const code = await cache.passwordReset.createCode(user._id!, {}) + const newPassword = generator.hash() + + await resetUpdate(code, newPassword) + + expect(await sessions.getSessionsForUser(user._id!)).toHaveLength(0) + }) + }) }) })