🔒 fix: resolve session persistence post password reset (#5077)

* ✨ feat: Implement session management with CRUD operations and integrate into user workflows * ✨ refactor: Update session model import paths and enhance session creation logic in AuthService * ✨ refactor: Validate session and user ID formats in session management functions * ✨ style: Enhance UI components with improved styling and accessibility features * chore: Update login form tests to use getByTestId instead of getByRole, remove console.log() * chore: Update login form tests to use getByTestId instead of getByRole --------- Co-authored-by: Danny Avila <danny@librechat.ai>
2025-12-17 00:40:14 +01:00 · 2024-12-23 11:12:07 +01:00 · 2024-12-23 11:12:07 +01:00 · bdb222d5f4
commit bdb222d5f4
parent 9bca2ae953
17 changed files with 402 additions and 116 deletions
--- a/api/server/controllers/AuthController.js
+++ b/api/server/controllers/AuthController.js
@ -6,8 +6,8 @@ const {
  setAuthTokens,
  requestPasswordReset,
 } = require('~/server/services/AuthService');
+const { findSession, getUserById, deleteAllUserSessions } = require('~/models');
 const { hashToken } = require('~/server/utils/crypto');
-const { Session, getUserById } = require('~/models');
 const { logger } = require('~/config');

 const registrationController = async (req, res) => {
@ -45,6 +45,7 @@ const resetPasswordController = async (req, res) => {
    if (resetPasswordService instanceof Error) {
      return res.status(400).json(resetPasswordService);
    } else {
+      await deleteAllUserSessions({ userId: req.body.userId });
      return res.status(200).json(resetPasswordService);
    }
  } catch (e) {
@ -77,7 +78,7 @@ const refreshController = async (req, res) => {
    const hashedToken = await hashToken(refreshToken);

    // Find the session with the hashed refresh token
-    const session = await Session.findOne({ user: userId, refreshTokenHash: hashedToken });
+    const session = await findSession({ userId: userId, refreshToken: hashedToken });
    if (session && session.expiration > new Date()) {
      const token = await setAuthTokens(userId, res, session._id);
      res.status(200).send({ token, user });
--- a/api/server/controllers/UserController.js
+++ b/api/server/controllers/UserController.js
@ -1,5 +1,4 @@
 const {
-  Session,
  Balance,
  getFiles,
  deleteFiles,
@ -7,6 +6,7 @@ const {
  deletePresets,
  deleteMessages,
  deleteUserById,
+  deleteAllUserSessions,
 } = require('~/models');
 const User = require('~/models/User');
 const { updateUserPluginAuth, deleteUserPluginAuth } = require('~/server/services/PluginService');
@ -112,7 +112,7 @@ const deleteUserController = async (req, res) => {

  try {
    await deleteMessages({ user: user.id }); // delete user messages
-    await Session.deleteMany({ user: user.id }); // delete user sessions
+    await deleteAllUserSessions({ userId: user.id }); // delete user sessions
    await Transaction.deleteMany({ user: user.id }); // delete user transactions
    await deleteUserKey({ userId: user.id, all: true }); // delete user keys
    await Balance.deleteMany({ user: user._id }); // delete user balances