feat: revoke token after sensitive operations (#6993)

fix #6914
2026-02-13 12:55:00 +00:00 · 2024-05-20 06:38:48 +00:00
parent 4c77ffd469
commit df73b6ddc7
5 changed files with 193 additions and 12 deletions
--- a/packages/backend/server/src/core/auth/resolver.ts
+++ b/packages/backend/server/src/core/auth/resolver.ts
@@ -98,6 +98,7 @@ export class AuthResolver {
    }

    await this.auth.changePassword(user.id, newPassword);
+    await this.auth.revokeUserSessions(user.id);

    return user;
  }
@@ -121,6 +122,7 @@ export class AuthResolver {
    email = decodeURIComponent(email);

    await this.auth.changeEmail(user.id, email);
+    await this.auth.revokeUserSessions(user.id);
    await this.auth.sendNotificationChangeEmail(email);

    return user;
--- a/packages/backend/server/src/core/auth/service.ts
+++ b/packages/backend/server/src/core/auth/service.ts
@@ -354,6 +354,15 @@ export class AuthService implements OnApplicationBootstrap {
    }
  }

+  async revokeUserSessions(userId: string, sessionId?: string) {
+    return this.db.userSession.deleteMany({
+      where: {
+        userId,
+        sessionId,
+      },
+    });
+  }
+
  async setCookie(_req: Request, res: Response, user: { id: string }) {
    const session = await this.createUserSession(
      user