Add an option to the set password API to choose whether to logout other devices. (#7085)

2025-05-08 20:25:03 -04:00 · 2020-03-18 07:50:00 -04:00 · 2020-03-18 07:50:00 -04:00 · 88b41986db
commit 88b41986db
parent 6d110ddea4
5 changed files with 38 additions and 19 deletions
--- a/synapse/handlers/set_password.py
+++ b/synapse/handlers/set_password.py
@ -13,10 +13,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 import logging
+from typing import Optional

 from twisted.internet import defer

 from synapse.api.errors import Codes, StoreError, SynapseError
+from synapse.types import Requester

 from ._base import BaseHandler

@ -32,14 +34,17 @@ class SetPasswordHandler(BaseHandler):
        self._device_handler = hs.get_device_handler()

    @defer.inlineCallbacks
-    def set_password(self, user_id, newpassword, requester=None):
+    def set_password(
+        self,
+        user_id: str,
+        new_password: str,
+        logout_devices: bool,
+        requester: Optional[Requester] = None,
+    ):
        if not self.hs.config.password_localdb_enabled:
            raise SynapseError(403, "Password change disabled", errcode=Codes.FORBIDDEN)

-        password_hash = yield self._auth_handler.hash(newpassword)
-
-        except_device_id = requester.device_id if requester else None
-        except_access_token_id = requester.access_token_id if requester else None
+        password_hash = yield self._auth_handler.hash(new_password)

        try:
            yield self.store.user_set_password_hash(user_id, password_hash)
@ -48,14 +53,18 @@ class SetPasswordHandler(BaseHandler):
                raise SynapseError(404, "Unknown user", Codes.NOT_FOUND)
            raise e

-        # we want to log out all of the user's other sessions. First delete
-        # all his other devices.
-        yield self._device_handler.delete_all_devices_for_user(
-            user_id, except_device_id=except_device_id
-        )
+        # Optionally, log out all of the user's other sessions.
+        if logout_devices:
+            except_device_id = requester.device_id if requester else None
+            except_access_token_id = requester.access_token_id if requester else None

-        # and now delete any access tokens which weren't associated with
-        # devices (or were associated with this device).
-        yield self._auth_handler.delete_access_tokens_for_user(
-            user_id, except_token_id=except_access_token_id
-        )
+            # First delete all of their other devices.
+            yield self._device_handler.delete_all_devices_for_user(
+                user_id, except_device_id=except_device_id
+            )
+
+            # and now delete any access tokens which weren't associated with
+            # devices (or were associated with this device).
+            yield self._auth_handler.delete_access_tokens_for_user(
+                user_id, except_token_id=except_access_token_id
+            )