fix: invalidate sessions on password reset and update

2025-11-19 03:01:59 +10:00 · 2025-10-15 16:39:24 +00:00
parent 7f09ba72f4
commit d70ea9c6a7
3 changed files with 175 additions and 5 deletions
--- a/packages/auth/server/routes/email-password.ts
+++ b/packages/auth/server/routes/email-password.ts
@ -24,6 +24,7 @@ import { env } from '@documenso/lib/utils/env';
 import { prisma } from '@documenso/prisma';

 import { AuthenticationErrorCode } from '../lib/errors/error-codes';
+import { invalidateSessions } from '../lib/session/session';
 import { getCsrfCookie } from '../lib/session/session-cookies';
 import { onAuthorize } from '../lib/utils/authorizer';
 import { getSession } from '../lib/utils/get-session';
@ -170,15 +171,38 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()
    const { password, currentPassword } = c.req.valid('json');
    const requestMetadata = c.get('requestMetadata');

-    const session = await getSession(c);
+    const { session, user } = await getSession(c);

    await updatePassword({
-      userId: session.user.id,
+      userId: user.id,
      password,
      currentPassword,
      requestMetadata,
    });

+    const userSessionIds = await prisma.session
+      .findMany({
+        where: {
+          userId: user.id,
+          id: {
+            not: session.id,
+          },
+        },
+        select: {
+          id: true,
+        },
+      })
+      .then((sessions) => sessions.map((s) => s.id));
+
+    if (userSessionIds.length > 0) {
+      await invalidateSessions({
+        userId: user.id,
+        sessionIds: userSessionIds,
+        metadata: requestMetadata,
+        isRevoke: true,
+      });
+    }
+
    return c.text('OK', 201);
  })
  /**
@ -231,12 +255,41 @@ export const emailPasswordRoute = new Hono<HonoAuthContext>()

    const requestMetadata = c.get('requestMetadata');

+    // Look up user ID before password reset for session invalidation
+    const passwordResetToken = await prisma.passwordResetToken.findFirst({
+      where: { token },
+      select: { userId: true },
+    });
+
    await resetPassword({
      token,
      password,
      requestMetadata,
    });

+    // Invalidate all sessions after successful password reset
+    if (passwordResetToken) {
+      const userSessionIds = await prisma.session
+        .findMany({
+          where: {
+            userId: passwordResetToken.userId,
+          },
+          select: {
+            id: true,
+          },
+        })
+        .then((sessions) => sessions.map((session) => session.id));
+
+      if (userSessionIds.length > 0) {
+        await invalidateSessions({
+          userId: passwordResetToken.userId,
+          sessionIds: userSessionIds,
+          metadata: requestMetadata,
+          isRevoke: true,
+        });
+      }
+    }
+
    return c.text('OK', 201);
  })
  /**