From 015771910f34f16e6e6da70e86b2f61aa6e7435a Mon Sep 17 00:00:00 2001
From: Denis Arh <denis.arh@gmail.com>
Date: Wed, 10 Nov 2021 10:51:03 +0100
Subject: [PATCH] Remove user's access tokens on password change

---
 system/service/auth.go |  4 ++++
 system/service/user.go | 10 +++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/system/service/auth.go b/system/service/auth.go
index eb3fe574c6..247c7cbc84 100644
--- a/system/service/auth.go
+++ b/system/service/auth.go
@@ -607,6 +607,10 @@ func (svc auth) ChangePassword(ctx context.Context, userID uint64, oldPassword,
 			return err
 		}
 
+		if err = svc.RemoveAccessTokens(ctx, u); err != nil {
+			return err
+		}
+
 		return nil
 	}()
 
diff --git a/system/service/user.go b/system/service/user.go
index e4b6dcd429..958b576377 100644
--- a/system/service/user.go
+++ b/system/service/user.go
@@ -697,7 +697,7 @@ func (svc user) SetPassword(ctx context.Context, userID uint64, newPassword stri
 		a       = UserActionSetPassword
 	)
 
-	err = func() error {
+	err = func() (err error) {
 		if u, err = store.LookupUserByID(ctx, svc.store, userID); err != nil {
 			return err
 		}
@@ -712,6 +712,10 @@ func (svc user) SetPassword(ctx context.Context, userID uint64, newPassword stri
 			return UserErrNotAllowedToUpdate()
 		}
 
+		if err = svc.auth.RemoveAccessTokens(ctx, u); err != nil {
+			return
+		}
+
 		if newPassword == "" {
 			a = UserActionRemovePassword
 			return svc.auth.RemovePasswordCredentials(ctx, userID)
@@ -721,8 +725,8 @@ func (svc user) SetPassword(ctx context.Context, userID uint64, newPassword stri
 			return UserErrPasswordNotSecure()
 		}
 
-		if err := svc.auth.SetPasswordCredentials(ctx, userID, newPassword); err != nil {
-			return err
+		if err = svc.auth.SetPasswordCredentials(ctx, userID, newPassword); err != nil {
+			return
 		}
 
 		return nil