Kill all sessions when deactivating a user

2025-08-07 17:03:01 +03:00 · 2024-07-16 12:15:21 +02:00
parent 857b76bb04
commit 6db455412f
1 changed files with 30 additions and 2 deletions
--- a/crates/tasks/src/user.rs
+++ b/crates/tasks/src/user.rs
@@ -15,8 +15,10 @@
 use anyhow::Context;
 use apalis_core::{context::JobContext, executor::TokioExecutor, monitor::Monitor};
 use mas_storage::{
+    compat::CompatSessionFilter,
    job::{DeactivateUserJob, JobWithSpanContext, ReactivateUserJob},
-    user::UserRepository,
+    oauth2::OAuth2SessionFilter,
+    user::{BrowserSessionFilter, UserRepository},
    RepositoryAccess,
 };
 use tracing::info;
@@ -52,7 +54,33 @@ async fn deactivate_user(
        .await
        .context("Failed to lock user")?;

-    // TODO: delete the sessions & access tokens
+    // Kill all sessions for the user
+    let n = repo
+        .browser_session()
+        .finish_bulk(
+            &clock,
+            BrowserSessionFilter::new().for_user(&user).active_only(),
+        )
+        .await?;
+    info!(affected = n, "Killed all browser sessions for user");
+
+    let n = repo
+        .oauth2_session()
+        .finish_bulk(
+            &clock,
+            OAuth2SessionFilter::new().for_user(&user).active_only(),
+        )
+        .await?;
+    info!(affected = n, "Killed all OAuth 2.0 sessions for user");
+
+    let n = repo
+        .compat_session()
+        .finish_bulk(
+            &clock,
+            CompatSessionFilter::new().for_user(&user).active_only(),
+        )
+        .await?;
+    info!(affected = n, "Killed all compatibility sessions for user");

    // Before calling back to the homeserver, commit the changes to the database, as
    // we want the user to be locked out as soon as possible