From 65b3561244af009815b1a53e93f4c35511d64d84 Mon Sep 17 00:00:00 2001
From: Maurits Lourens <maurits.lourens@nedap.com>
Date: Tue, 29 Mar 2022 10:06:54 +0200
Subject: [PATCH] invalidate sessions before login

---
 packages/backend-core/src/middleware/passport/local.js    | 8 +++++++-
 .../src/middleware/passport/third-party-common.js         | 8 +++++++-
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/packages/backend-core/src/middleware/passport/local.js b/packages/backend-core/src/middleware/passport/local.js
index 2149bd3e18..f3921bea51 100644
--- a/packages/backend-core/src/middleware/passport/local.js
+++ b/packages/backend-core/src/middleware/passport/local.js
@@ -5,7 +5,10 @@ const env = require("../../environment")
 const { getGlobalUserByEmail } = require("../../utils")
 const { authError } = require("./utils")
 const { newid } = require("../../hashing")
-const { createASession } = require("../../security/sessions")
+const {
+  createASession,
+  invalidateSessions,
+} = require("../../security/sessions")
 const { getTenantId } = require("../../tenancy")
 
 const INVALID_ERR = "Invalid credentials"
@@ -53,6 +56,9 @@ exports.authenticate = async function (ctx, email, password, done) {
 
   // authenticate
   if (await compare(password, dbUser.password)) {
+    // invalidate all other sessions
+    await invalidateSessions(dbUser._id)
+
     const sessionId = newid()
     const tenantId = getTenantId()
     await createASession(dbUser._id, { sessionId, tenantId })
diff --git a/packages/backend-core/src/middleware/passport/third-party-common.js b/packages/backend-core/src/middleware/passport/third-party-common.js
index b467c0b10b..32be3f474a 100644
--- a/packages/backend-core/src/middleware/passport/third-party-common.js
+++ b/packages/backend-core/src/middleware/passport/third-party-common.js
@@ -4,7 +4,10 @@ const { generateGlobalUserID } = require("../../db/utils")
 const { saveUser } = require("../../utils")
 const { authError } = require("./utils")
 const { newid } = require("../../hashing")
-const { createASession } = require("../../security/sessions")
+const {
+  createASession,
+  invalidateSessions,
+} = require("../../security/sessions")
 const { getGlobalUserByEmail } = require("../../utils")
 const { getGlobalDB, getTenantId } = require("../../tenancy")
 const fetch = require("node-fetch")
@@ -76,6 +79,9 @@ exports.authenticateThirdParty = async function (
   // never prompt for password reset
   dbUser.forceResetPassword = false
 
+  // invalidate all other sessions
+  await invalidateSessions(dbUser._id)
+
   // create or sync the user
   let response
   try {