Delete a user's other sessions on password change

Author: GrantGryczan

.sqlx/query-5e4f8a9f90fd5177a3f0883fb3026a2bf2216efb5588c8011de57054076ff355.json

@@ -1,6 +1,6 @@
 //! Helper functions that perform common database operations.
 
-use sqlx::PgTransaction;
+use sqlx::{postgres::PgQueryResult, PgTransaction};
 
 use crate::{
     crypto::hash_without_salt,
@@ -12,7 +12,7 @@ use crate::{
 ///
 /// # Errors
 ///
-/// Returns a transaction error if the database query fails.
+/// Returns a transaction error if any database query fails.
 pub(crate) async fn create_session<UserId, E>(
     tx: &mut PgTransaction<'static>,
     user_id: &UserId,
@@ -41,3 +41,25 @@ where
 
     Ok(token)
 }
+
+/// Deletes all of a user's sessions. This is a conventionally expected security feature whenever a
+/// user's password is changed.
+///
+/// # Errors
+///
+/// Returns a transaction error if any database query fails.
+pub(crate) async fn delete_all_sessions_for_user<UserId>(
+    tx: &mut PgTransaction<'static>,
+    user_id: &UserId,
+) -> sqlx::Result<PgQueryResult>
+where
+    UserId: AsRef<[u8]>,
+{
+    sqlx::query!(
+        "DELETE FROM sessions
+            WHERE user_id = $1",
+        user_id.as_ref(),
+    )
+    .execute(tx.as_mut())
+    .await
+}

backend/api/db_helpers.rs

@@ -8,7 +8,7 @@ use crate::{
     api::{
         self,
         cookie::{CookieWrapper, SessionCookie},
-        db_helpers::create_session,
+        db_helpers::{create_session, delete_all_sessions_for_user},
         extract::Query,
         response::{body::User, Response},
         validation::NewUserPassword,
@@ -74,6 +74,8 @@ pub(crate) async fn post(
             .fetch_one(tx.as_mut())
             .await?;
 
+            delete_all_sessions_for_user(tx, &password_reset.user_id).await?;
+
             let session_token = create_session(tx, &password_reset.user_id).await?;
 
             Ok((password_reset.user_id, user.name, session_token))