invalidate other sessions on password change by fabracht · Pull Request #68 · LabOverWire/MQDB

fabracht · 2026-05-23T00:54:37Z

Summary

Adds SessionStore::destroy_others_by_canonical_id(canonical_id, keep_session_id) -> Vec<String> returning JWTs of removed sessions so callers can revoke their JTIs.
POST /auth/password/change now keeps the caller's session and destroys every other session for the same canonical_id. JTIs from those JWTs are added to JtiRevocationStore.
POST /auth/password/reset/submit destroys all sessions for the target user (no current session at reset time) and revokes their JTIs.
MQTT password-change path ($DB/_auth/password/change) is intentionally out of scope — AdminContext has no reference to SessionStore, and threading it through is plumbing for a separate PR.

Closes #37 (HTTP scope); MQTT path tracked as follow-up.

cargo make dev (format + clippy + 750 tests)
3 new unit tests in session_store.rs for the new method (keep-current-session / destroy-all / unknown-user)

fabracht added 3 commits May 22, 2026 17:54

invalidate other sessions on password change

a35fe16

extract verify_stored_password helper from handle_password_change

24315e9

drop unneeded to_string clone in handle_password_change

0076b72

fabracht mentioned this pull request May 23, 2026

MQTT password-change does not invalidate HTTP sessions #69

Open