Delete all other sessions after setting a new password

2023-09-17 20:47:28 +02:00 · 2023-09-17 20:47:28 +02:00 · c06cb767da
parent dbb089315f
commit c06cb767da
2 changed files with 12 additions and 0 deletions
--- a/src/Controllers/SettingsController.php
+++ b/src/Controllers/SettingsController.php
@ -145,6 +145,11 @@ class SettingsController extends BaseController

            $this->addNotification('settings.password.success');
            $this->log->info('User set new password.');
+
+            $user->sessions()
+                ->getQuery()
+                ->where('id', '!=', session()->getId())
+                ->delete();
        }

        return $this->redirect->to('/settings/password');
--- a/tests/Unit/Controllers/SettingsControllerTest.php
+++ b/tests/Unit/Controllers/SettingsControllerTest.php
@ -283,6 +283,13 @@ class SettingsControllerTest extends ControllerTest
        $session = $this->app->get('session');
        $messages = $session->get('messages.' . NotificationType::MESSAGE->value);
        $this->assertEquals('settings.password.success', $messages[0]);
+
+        $this->assertCount(
+            1,
+            SessionModel::whereUserId($this->user->id)->get(),
+            'All other user sessions should be deleted after setting a new password'
+        );
+        $this->assertCount(2, SessionModel::all()); // Current session and another one should be still there
    }

    /**