fix: invalidate all refresh token and populate a new token for current session on password change

Signed-off-by: Pranav C <pranavxc@gmail.com>
4 months ago · 7795f0405d
2 changed files with 7 additions and 1 deletions
--- a/packages/nocodb/src/modules/auth/auth.controller.ts
+++ b/packages/nocodb/src/modules/auth/auth.controller.ts
@ -140,7 +140,7 @@ export class AuthController {
    scope: 'org',
  })
  @HttpCode(200)
-  async passwordChange(@Req() req: NcRequest): Promise<any> {
+  async passwordChange(@Req() req: NcRequest, @Res() res): Promise<any> {
    if (!(req as any).isAuthenticated?.()) {
      NcError.forbidden('Not allowed');
    }
@ -151,6 +151,9 @@ export class AuthController {
      body: req.body,
    });

+    // set new refresh token
+    await this.setRefreshToken({ req, res });
+
    return { msg: 'Password has been updated successfully' };
  }

--- a/packages/nocodb/src/services/users/users.service.ts
+++ b/packages/nocodb/src/services/users/users.service.ts
@ -201,6 +201,9 @@ export class UsersService {
      token_version: randomTokenString(),
    });

+    // delete all refresh token and populate a new one
+    await UserRefreshToken.deleteAllUserToken(user.id);
+
    this.appHooksService.emit(AppEvents.USER_PASSWORD_CHANGE, {
      user: user,
      ip: param.req?.clientIp,