From c06cb767da8b9195c50447aefbfc56a00060a304 Mon Sep 17 00:00:00 2001
From: Igor Scheller <igor.scheller@igorshp.de>
Date: Sun, 17 Sep 2023 20:47:28 +0200
Subject: [PATCH] Delete all other sessions after setting a new password

---
 src/Controllers/SettingsController.php            | 5 +++++
 tests/Unit/Controllers/SettingsControllerTest.php | 7 +++++++
 2 files changed, 12 insertions(+)

diff --git a/src/Controllers/SettingsController.php b/src/Controllers/SettingsController.php
index 38dd5020..0002ee3e 100644
--- a/src/Controllers/SettingsController.php
+++ b/src/Controllers/SettingsController.php
@@ -145,6 +145,11 @@ class SettingsController extends BaseController
 
             $this->addNotification('settings.password.success');
             $this->log->info('User set new password.');
+
+            $user->sessions()
+                ->getQuery()
+                ->where('id', '!=', session()->getId())
+                ->delete();
         }
 
         return $this->redirect->to('/settings/password');
diff --git a/tests/Unit/Controllers/SettingsControllerTest.php b/tests/Unit/Controllers/SettingsControllerTest.php
index d3d3877c..1ae5e1b1 100644
--- a/tests/Unit/Controllers/SettingsControllerTest.php
+++ b/tests/Unit/Controllers/SettingsControllerTest.php
@@ -283,6 +283,13 @@ class SettingsControllerTest extends ControllerTest
         $session = $this->app->get('session');
         $messages = $session->get('messages.' . NotificationType::MESSAGE->value);
         $this->assertEquals('settings.password.success', $messages[0]);
+
+        $this->assertCount(
+            1,
+            SessionModel::whereUserId($this->user->id)->get(),
+            'All other user sessions should be deleted after setting a new password'
+        );
+        $this->assertCount(2, SessionModel::all()); // Current session and another one should be still there
     }
 
     /**