From bd96b5d7225ea3028053b9c3e1cb7ecd7ee5db69 Mon Sep 17 00:00:00 2001
From: Jason Ertel <jason.ertel@securityonionsolutions.com>
Date: Mon, 6 Jan 2025 17:23:10 -0500
Subject: [PATCH] invalidate user sessions when an admin changes the user's
 password

---
 salt/manager/tools/sbin/so-user | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/salt/manager/tools/sbin/so-user b/salt/manager/tools/sbin/so-user
index f34681c04..e6ac9eb1f 100755
--- a/salt/manager/tools/sbin/so-user
+++ b/salt/manager/tools/sbin/so-user
@@ -241,6 +241,10 @@ function updatePassword() {
     [[ $? != 0 ]] && fail "Unable to clear aal2 identity IDs"
     echo "delete from identity_credentials where identity_id='${identityId}' and identity_credential_type_id in (select id from identity_credential_types where name in ('totp', 'webauthn', 'oidc'));" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
     [[ $? != 0 ]] && fail "Unable to clear aal2 identity credentials"
+    echo "delete from session_devices where session_id in (select id from sessions where identity_id='${identityId}');" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
+    [[ $? != 0 ]] && fail "Unable to clear session devices"
+    echo "delete from sessions where identity_id='${identityId}';" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
+    [[ $? != 0 ]] && fail "Unable to clear sessions"
     echo "update identities set available_aal='aal1' where id='${identityId}';" | sqlite3 -cmd ".timeout ${databaseTimeout}" "$databasePath"
     [[ $? != 0 ]] && fail "Unable to reset aal"
   fi