Revoke personal sessions on user deactivation

2025-10-22 11:26:42 +01:00
parent 120c8f7d23
commit c94e4ea27b
1 changed files with 31 additions and 0 deletions
--- a/crates/tasks/src/user.rs
+++ b/crates/tasks/src/user.rs
@@ -10,6 +10,7 @@ use mas_storage::{
    RepositoryAccess,
    compat::CompatSessionFilter,
    oauth2::OAuth2SessionFilter,
+    personal::PersonalSessionFilter,
    queue::{DeactivateUserJob, ReactivateUserJob},
    user::{BrowserSessionFilter, UserEmailFilter, UserRepository},
 };
@@ -80,6 +81,36 @@ impl RunnableJob for DeactivateUserJob {
            .map_err(JobError::retry)?;
        info!(affected = n, "Killed all compatibility sessions for user");

+        let n = repo
+            .personal_session()
+            .revoke_bulk(
+                clock,
+                PersonalSessionFilter::new()
+                    .for_actor_user(&user)
+                    .active_only(),
+            )
+            .await
+            .map_err(JobError::retry)?;
+        info!(
+            affected = n,
+            "Killed all compatibility sessions acting as user"
+        );
+
+        let n = repo
+            .personal_session()
+            .revoke_bulk(
+                clock,
+                PersonalSessionFilter::new()
+                    .for_owner_user(&user)
+                    .active_only(),
+            )
+            .await
+            .map_err(JobError::retry)?;
+        info!(
+            affected = n,
+            "Killed all compatibility sessions owned by user"
+        );
+
        // Delete all the email addresses for the user
        let n = repo
            .user_email()