feat(user): implement session deletion on password reset

2025-03-21 15:45:29 +01:00
parent 26f4d37346
commit d7d80e926e
6 changed files with 48 additions and 10 deletions
--- a/app/Actions/Fortify/ResetUserPassword.php
+++ b/app/Actions/Fortify/ResetUserPassword.php
@@ -24,5 +24,6 @@ class ResetUserPassword implements ResetsUserPasswords
        $user->forceFill([
            'password' => Hash::make($input['password']),
        ])->save();
+        $user->deleteAllSessions();
    }
 }
--- a/app/Console/Commands/RootResetPassword.php
+++ b/app/Console/Commands/RootResetPassword.php
@@ -39,7 +39,8 @@ class RootResetPassword extends Command
        }
        $this->info('Updating root password...');
        try {
-            User::find(0)->update(['password' => Hash::make($password)]);
+            $user = User::find(0);
+            $user->update(['password' => Hash::make($password)]);
            $this->info('Root password updated successfully.');
        } catch (\Exception $e) {
            $this->error('Failed to update root password.');
--- a/app/Livewire/Profile/Index.php
+++ b/app/Livewire/Profile/Index.php
@@ -70,6 +70,7 @@ class Index extends Component
            $this->current_password = '';
            $this->new_password = '';
            $this->new_password_confirmation = '';
+            $this->dispatch('reloadWindow');
        } catch (\Throwable $e) {
            return handleError($e, $this);
        }
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -4,6 +4,7 @@ namespace App\Models;

 use App\Notifications\Channels\SendsEmail;
 use App\Notifications\TransactionalEmails\ResetPassword as TransactionalEmailsResetPassword;
+use App\Traits\DeletesUserSessions;
 use DateTimeInterface;
 use Illuminate\Database\Eloquent\Factories\HasFactory;
 use Illuminate\Foundation\Auth\User as Authenticatable;
@@ -37,7 +38,7 @@ use OpenApi\Attributes as OA;
 )]
 class User extends Authenticatable implements SendsEmail
 {
-    use HasApiTokens, HasFactory, Notifiable, TwoFactorAuthenticatable;
+    use DeletesUserSessions, HasApiTokens, HasFactory, Notifiable, TwoFactorAuthenticatable;

    protected $guarded = [];

@@ -57,6 +58,7 @@ class User extends Authenticatable implements SendsEmail
    protected static function boot()
    {
        parent::boot();
+
        static::created(function (User $user) {
            $team = [
                'name' => $user->name."'s Team",
--- a/app/Traits/DeletesUserSessions.php
+++ b/app/Traits/DeletesUserSessions.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace App\Traits;
+
+use DB;
+use Illuminate\Support\Facades\Session;
+
+trait DeletesUserSessions
+{
+    /**
+     * Delete all sessions for the current user.
+     * This will force the user to log in again on all devices.
+     */
+    public function deleteAllSessions(): void
+    {
+        // Invalidate the current session
+        Session::invalidate();
+        Session::regenerateToken();
+        DB::table('sessions')->where('user_id', $this->id)->delete();
+    }
+
+    /**
+     * Boot the trait.
+     */
+    protected static function bootDeletesUserSessions()
+    {
+        static::updated(function ($user) {
+            // Check if password was changed
+            if ($user->isDirty('password')) {
+                $user->deleteAllSessions();
+            }
+        });
+    }
+}
--- a/resources/views/livewire/profile/index.blade.php
+++ b/resources/views/livewire/profile/index.blade.php
@@ -19,6 +19,7 @@
            <h2>Change Password</h2>
            <x-forms.button type="submit" label="Save">Save</x-forms.button>
        </div>
+        <div class="text-xs font-bold text-warning pb-2">Resetting the password will logout all sessions.</div>
        <div class="flex flex-col gap-2">
            <x-forms.input id="current_password" label="Current Password" required type="password" />
            <div class="flex gap-2">
@@ -36,23 +37,21 @@
        <div class="flex flex-col gap-4">
            <form action="/user/confirmed-two-factor-authentication" method="POST" class="flex items-end gap-2">
                @csrf
-                <x-forms.input type="text" inputmode="numeric" pattern="[0-9]*" id="code" label="One time (OTP) code" required />
+                <x-forms.input type="text" inputmode="numeric" pattern="[0-9]*" id="code"
+                    label="One time (OTP) code" required />
                <x-forms.button type="submit">Validate 2FA</x-forms.button>
            </form>
            <div class="flex flex-col items-start">
-                <div class="flex items-center justify-center w-80 h-80 bg-white p-4 border-4 border-gray-300 rounded-lg shadow-lg">
+                <div
+                    class="flex items-center justify-center w-80 h-80 bg-white p-4 border-4 border-gray-300 rounded-lg shadow-lg">
                    {!! request()->user()->twoFactorQrCodeSvg() !!}
                </div>
                <div x-data="{
                    showCode: false,
                }" class="py-4 w-full">
                    <div class="flex flex-col gap-2 pb-2" x-show="showCode">
-                        <x-forms.copy-button 
-                            text="{{ decrypt(request()->user()->two_factor_secret) }}" 
-                        />
-                        <x-forms.copy-button 
-                            text="{{ request()->user()->twoFactorQrCodeUrl() }}" 
-                        />
+                        <x-forms.copy-button text="{{ decrypt(request()->user()->two_factor_secret) }}" />
+                        <x-forms.copy-button text="{{ request()->user()->twoFactorQrCodeUrl() }}" />
                    </div>
                    <x-forms.button x-on:click="showCode = !showCode" class="mt-2">
                        <span x-text="showCode ? 'Hide Secret Key and OTP URL' : 'Show Secret Key and OTP URL'"></span>