Invalidate session on password update

This commit is contained in:
Adria Navarro 2023-12-29 16:54:47 +01:00
parent f74264c1c8
commit d1ffe24269
2 changed files with 20 additions and 2 deletions

View File

@ -80,6 +80,7 @@ export const resetUpdate = async (resetCode: string, password: string) => {
user = await userSdk.db.save(user) user = await userSdk.db.save(user)
await cache.passwordReset.invalidateCode(resetCode) await cache.passwordReset.invalidateCode(resetCode)
await sessions.invalidateSessions(userId)
// remove password from the user before sending events // remove password from the user before sending events
delete user.password delete user.password

View File

@ -1,5 +1,5 @@
import { cache, context, utils } from "@budibase/backend-core" import { cache, context, sessions, utils } from "@budibase/backend-core"
import { resetUpdate } from "../auth" import { loginUser, resetUpdate } from "../auth"
import { generator, structures } from "@budibase/backend-core/tests" import { generator, structures } from "@budibase/backend-core/tests"
import { TestConfiguration } from "../../../tests" import { TestConfiguration } from "../../../tests"
@ -49,5 +49,22 @@ describe("auth", () => {
) )
}) })
}) })
it("updating the password will invalidate all the sessions", async () => {
await context.doInTenant(structures.tenant.id(), async () => {
const user = await config.createUser()
await loginUser(user)
expect(await sessions.getSessionsForUser(user._id!)).toHaveLength(1)
const code = await cache.passwordReset.createCode(user._id!, {})
const newPassword = generator.hash()
await resetUpdate(code, newPassword)
expect(await sessions.getSessionsForUser(user._id!)).toHaveLength(0)
})
})
}) })
}) })