improve org policy error message responses

2026-06-26 17:19:09 +00:00 · 2026-06-24 16:32:46 -04:00
parent 242123b875
commit 6fe4eee336
21 changed files with 155 additions and 94 deletions
--- a/server/routers/auth/changePassword.ts
+++ b/server/routers/auth/changePassword.ts
@@ -10,9 +10,8 @@ import { hashPassword, verifyPassword } from "@server/auth/password";
 import { verifyTotpCode } from "@server/auth/totp";
 import logger from "@server/logger";
 import { unauthorized } from "@server/auth/unauthorizedResponse";
-import { invalidateAllSessions } from "@server/auth/sessions/app";
-import { sessions, resourceSessions } from "@server/db";
-import { and, eq, ne, inArray } from "drizzle-orm";
+import { invalidateAllSessionsExceptCurrent } from "@server/auth/sessions/app";
+import { eq } from "drizzle-orm";
 import { passwordSchema } from "@server/auth/passwordSchema";
 import { UserType } from "@server/types/UserTypes";
 import { sendEmail } from "@server/emails";
@@ -31,48 +30,6 @@ export type ChangePasswordResponse = {
    codeRequested?: boolean;
 };

-async function invalidateAllSessionsExceptCurrent(
-    userId: string,
-    currentSessionId: string
-): Promise<void> {
-    try {
-        await db.transaction(async (trx) => {
-            // Get all user sessions except the current one
-            const userSessions = await trx
-                .select()
-                .from(sessions)
-                .where(
-                    and(
-                        eq(sessions.userId, userId),
-                        ne(sessions.sessionId, currentSessionId)
-                    )
-                );
-
-            // Delete resource sessions for the sessions we're invalidating
-            if (userSessions.length > 0) {
-                await trx.delete(resourceSessions).where(
-                    inArray(
-                        resourceSessions.userSessionId,
-                        userSessions.map((s) => s.sessionId)
-                    )
-                );
-            }
-
-            // Delete the user sessions (except current)
-            await trx
-                .delete(sessions)
-                .where(
-                    and(
-                        eq(sessions.userId, userId),
-                        ne(sessions.sessionId, currentSessionId)
-                    )
-                );
-        });
-    } catch (e) {
-        logger.error("Failed to invalidate user sessions except current", e);
-    }
-}
-
 export async function changePassword(
    req: Request,
    res: Response,
--- a/server/routers/auth/verifyTotp.ts
+++ b/server/routers/auth/verifyTotp.ts
@@ -15,6 +15,10 @@ import TwoFactorAuthNotification from "@server/emails/templates/TwoFactorAuthNot
 import config from "@server/lib/config";
 import { UserType } from "@server/types/UserTypes";
 import { generateBackupCodes } from "@server/lib/totp";
+import {
+    invalidateAllSessions,
+    invalidateAllSessionsExceptCurrent
+} from "@server/auth/sessions/app";
 import { verifySession } from "@server/auth/sessions/verifySession";
 import { unauthorized } from "@server/auth/unauthorizedResponse";

@@ -168,6 +172,15 @@ export async function verifyTotp(
            );
        }

+        if (existingSession) {
+            await invalidateAllSessionsExceptCurrent(
+                user.userId,
+                existingSession.sessionId
+            );
+        } else {
+            await invalidateAllSessions(user.userId);
+        }
+
        sendEmail(
            TwoFactorAuthNotification({
                email: user.email!,