From 6027b969f542b29365875fa78dbf77765b12d290 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Garc=C3=ADa?=
 <dani-garcia@users.noreply.github.com>
Date: Sat, 16 Feb 2019 23:06:26 +0100
Subject: [PATCH] Delete old devices when deauthorizing user sessions

---
 src/api/admin.rs         | 1 +
 src/api/core/accounts.rs | 1 +
 2 files changed, 2 insertions(+)

diff --git a/src/api/admin.rs b/src/api/admin.rs
index 37b03c1..68a0138 100644
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@@ -171,6 +171,7 @@ fn deauth_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
         None => err!("User doesn't exist"),
     };
 
+    Device::delete_all_by_user(&user.uuid, &conn)?;
     user.reset_security_stamp();
 
     user.save(&conn)
diff --git a/src/api/core/accounts.rs b/src/api/core/accounts.rs
index beeb74b..bc2d286 100644
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@@ -322,6 +322,7 @@ fn post_sstamp(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -
         err!("Invalid password")
     }
 
+    Device::delete_all_by_user(&user.uuid, &conn)?;
     user.reset_security_stamp();
     user.save(&conn)
 }