✨ Invalidate all other sessions on password change.

backend/src/app/http/session.clj

@@ -72,7 +72,10 @@
       (do
         (a/>!! (::events-ch cfg) id)
         (l/update-thread-context! {:profile-id profile-id})
-        (handler (assoc request :profile-id profile-id)))
+        (-> request
+            (assoc :profile-id profile-id)
+            (assoc :session-id id)
+            (handler)))
       (handler request))))
 
 ;; --- STATE INIT: SESSION

backend/src/app/rpc.clj

@@ -30,7 +30,7 @@
   response)
 
 (defn- rpc-query-handler
-  [methods {:keys [profile-id] :as request}]
+  [methods {:keys [profile-id session-id] :as request}]
   (let [type   (keyword (get-in request [:path-params :type]))
 
         data   (merge (:params request)
@@ -39,7 +39,7 @@
                       {::request request})
 
         data   (if profile-id
-                 (assoc data :profile-id profile-id)
+                 (assoc data :profile-id profile-id ::session-id session-id)
                  (dissoc data :profile-id))
 
         result ((get methods type default-handler) data)
@@ -50,7 +50,7 @@
       ((:transform-response mdata) request))))
 
 (defn- rpc-mutation-handler
-  [methods {:keys [profile-id] :as request}]
+  [methods {:keys [profile-id session-id] :as request}]
   (let [type   (keyword (get-in request [:path-params :type]))
         data   (merge (:params request)
                       (:body-params request)
@@ -58,7 +58,7 @@
                       {::request request})
 
         data   (if profile-id
-                 (assoc data :profile-id profile-id)
+                 (assoc data :profile-id profile-id ::session-id session-id)
                  (dissoc data :profile-id))
 
         result ((get methods type default-handler) data)

backend/src/app/rpc/mutations/fonts.clj

@@ -48,7 +48,6 @@
   (let [data    (media/run cfg {:cmd :generate-fonts :input data :rlimit :font})
         storage (media/configure-assets-storage storage conn)
 
-
         otf     (when-let [fdata (get data "font/otf")]
                   (sto/put-object storage {:content (sto/content fdata)
                                            :content-type "font/otf"}))

backend/src/app/rpc/mutations/profile.clj

@@ -367,6 +367,7 @@
 
 (declare validate-password!)
 (declare update-profile-password!)
+(declare invalidate-profile-session!)
 
 (s/def ::update-profile-password
   (s/keys :req-un [::profile-id ::password ::old-password]))
@@ -374,8 +375,10 @@
 (sv/defmethod ::update-profile-password {:rlimit :password}
   [{:keys [pool] :as cfg} {:keys [password] :as params}]
   (db/with-atomic [conn pool]
-    (let [profile (validate-password! conn params)]
+    (let [profile    (validate-password! conn params)
+          session-id (:app.rpc/session-id params)]
       (update-profile-password! conn (assoc profile :password password))
+      (invalidate-profile-session! conn (:id profile) session-id)
       nil)))
 
 (defn- validate-password!
@@ -392,6 +395,11 @@
               {:password (derive-password password)}
               {:id id}))
 
+(defn- invalidate-profile-session!
+  "Removes all sessions except the current one."
+  [conn profile-id session-id]
+  (let [sql "delete from http_session where profile_id = ? and id != ?"]
+    (:next.jdbc/update-count (db/exec-one! conn [sql profile-id session-id]))))
 
 ;; --- MUTATION: Update Photo
 

frontend/src/app/main/ui/settings/password.cljs

@@ -19,11 +19,10 @@
 (defn- on-error
   [form error]
   (case (:code error)
-    :app.services.mutations.profile/old-password-not-match
+    :old-password-not-match
     (swap! form assoc-in [:errors :password-old]
            {:message (tr "errors.wrong-old-password")})
 
-    :else
     (let [msg (tr "generic.error")]
       (st/emit! (dm/error msg)))))