references/dokploy
1
0
Fork 0
mirror of https://github.com/dokploy/dokploy.git synced 2026-06-14 03:19:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(user): implement session cleanup on user update

Browse Source 
- Added functionality to delete old sessions when a user updates their password, ensuring that only the current session remains active.
- This change enhances security by preventing unauthorized access from previous sessions after a password change.

Close here https://github.com/Dokploy/dokploy/security/advisories/GHSA-rr9m-w87g-46f3
This commit is contained in:
Mauricio Siu
2026-05-13 00:49:32 -06:00
parent 67278d8783
commit 1fdbe87d84
1 changed files with 11 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/dokploy/server/api/routers/user.ts
+11 -1
View File
@@ -23,6 +23,7 @@ import {
apiUpdateUser,
invitation,
member,
session,
user,
} from "@dokploy/server/db/schema";
import {
@@ -32,7 +33,7 @@ import {
import { hasValidLicense } from "@dokploy/server/services/proprietary/license-key";
import { TRPCError } from "@trpc/server";
import * as bcrypt from "bcrypt";
import { and, asc, eq, gt } from "drizzle-orm";
import { and, asc, eq, gt, ne } from "drizzle-orm";
import { z } from "zod";
import { audit } from "@/server/api/utils/audit";
import {
@@ -229,6 +230,15 @@ export const userRouter = createTRPCRouter({
password: bcrypt.hashSync(input.password, 10),
})
.where(eq(account.userId, ctx.user.id));
await db
.delete(session)
.where(
and(
eq(session.userId, ctx.user.id),
ne(session.id, ctx.session.id),
),
);
}
try {