Delete old devices when deauthorizing user sessions

6 years ago · 6027b969f5
2 changed files with 2 additions and 0 deletions
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@ -171,6 +171,7 @@ fn deauth_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
        None => err!("User doesn't exist"),
    };

+    Device::delete_all_by_user(&user.uuid, &conn)?;
    user.reset_security_stamp();

    user.save(&conn)
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@ -322,6 +322,7 @@ fn post_sstamp(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -
        err!("Invalid password")
    }

+    Device::delete_all_by_user(&user.uuid, &conn)?;
    user.reset_security_stamp();
    user.save(&conn)
 }