feat(user): implement session deletion on password reset

2025-03-21 15:45:29 +01:00
parent 26f4d37346
commit d7d80e926e
6 changed files with 48 additions and 10 deletions
--- a/app/Actions/Fortify/ResetUserPassword.php
+++ b/app/Actions/Fortify/ResetUserPassword.php
@@ -24,5 +24,6 @@ class ResetUserPassword implements ResetsUserPasswords
        $user->forceFill([
            'password' => Hash::make($input['password']),
        ])->save();
+        $user->deleteAllSessions();
    }
 }
--- a/app/Console/Commands/RootResetPassword.php
+++ b/app/Console/Commands/RootResetPassword.php
@@ -39,7 +39,8 @@ class RootResetPassword extends Command
        }
        $this->info('Updating root password...');
        try {
-            User::find(0)->update(['password' => Hash::make($password)]);
+            $user = User::find(0);
+            $user->update(['password' => Hash::make($password)]);
            $this->info('Root password updated successfully.');
        } catch (\Exception $e) {
            $this->error('Failed to update root password.');
--- a/app/Livewire/Profile/Index.php
+++ b/app/Livewire/Profile/Index.php
@@ -70,6 +70,7 @@ class Index extends Component
            $this->current_password = '';
            $this->new_password = '';
            $this->new_password_confirmation = '';
+            $this->dispatch('reloadWindow');
        } catch (\Throwable $e) {
            return handleError($e, $this);
        }
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -4,6 +4,7 @@ namespace App\Models;

 use App\Notifications\Channels\SendsEmail;
 use App\Notifications\TransactionalEmails\ResetPassword as TransactionalEmailsResetPassword;
+use App\Traits\DeletesUserSessions;
 use DateTimeInterface;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Foundation\Auth\User as Authenticatable;
@@ -37,7 +38,7 @@ use OpenApi\Attributes as OA;
 )]
 class User extends Authenticatable implements SendsEmail
 {
-    use HasApiTokens, HasFactory, Notifiable, TwoFactorAuthenticatable;
+    use DeletesUserSessions, HasApiTokens, HasFactory, Notifiable, TwoFactorAuthenticatable;

    protected $guarded = [];

@@ -57,6 +58,7 @@ class User extends Authenticatable implements SendsEmail
    protected static function boot()
    {
        parent::boot();
+
        static::created(function (User $user) {
            $team = [
                'name' => $user->name."'s Team",
--- a/app/Traits/DeletesUserSessions.php
+++ b/app/Traits/DeletesUserSessions.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace App\Traits;
+
+use DB;
+use Illuminate\Support\Facades\Session;
+
+trait DeletesUserSessions
+{
+    /**
+     * Delete all sessions for the current user.
+     * This will force the user to log in again on all devices.
+     */
+    public function deleteAllSessions(): void
+    {
+        // Invalidate the current session
+        Session::invalidate();
+        Session::regenerateToken();
+        DB::table('sessions')->where('user_id', $this->id)->delete();
+    }
+
+    /**
+     * Boot the trait.
+     */
+    protected static function bootDeletesUserSessions()
+    {
+        static::updated(function ($user) {
+            // Check if password was changed
+            if ($user->isDirty('password')) {
+                $user->deleteAllSessions();
+            }
+        });
+    }
+}