botpress · davidvitora · Aug 28, 2023 · Jun 14, 2023
diff --git a/packages/bp/src/core/security/strategy-basic.ts b/packages/bp/src/core/security/strategy-basic.ts
@@ -32,14 +32,14 @@ export class StrategyBasic {
     router.post(
       '/login/basic/:strategy',
       this.asyncMiddleware(async (req: Request, res: Response) => {
-        const { password, newPassword, channel, target } = req.body
+        const { password, newPassword, channel, target, invalidateActiveSessions } = req.body
         const email = req.body.email.toLowerCase()
         const { strategy } = req.params
 
         // Random delay to prevent an attacker from determining if an account exists by the response time. Arbitrary numbers
         await Promise.delay(_.random(15, 80))
 
-        await this._login(email, password, strategy, newPassword, req.ip)
+        await this._login(email, password, strategy, newPassword, req.ip, invalidateActiveSessions)
         let token: TokenResponse
 
         // If the channel & target is set, we consider that it's a chat user logging in (even if it's with admin credentials)
@@ -94,7 +94,8 @@ export class StrategyBasic {
     password: string,
     strategy: string,
     newPassword?: string,
-    ipAddress: string = ''
+    ipAddress: string = '',
+    invalidateToken: boolean = true
   ): Promise<void> {
     await this._checkUserAuth(email, strategy, password, newPassword, ipAddress)
     const strategyOptions = _.get(await this.authService.getStrategy(strategy), 'options') as AuthStrategyBasic
@@ -107,6 +108,10 @@ export class StrategyBasic {
       this._validatePassword(newPassword, strategyOptions)
       const hash = saltHashPassword(newPassword)
 
+      if (invalidateToken) {
+        await this.authService.incrementTokenVersion(email, strategy)
+      }
+
       await this.authService.updateUser(email, strategy, {
         password: hash.hash,
         salt: hash.salt,

diff --git a/packages/ui-admin/src/app/translations/en.json b/packages/ui-admin/src/app/translations/en.json
@@ -23,6 +23,7 @@
     "hideToken": "Hide token",
     "changeYourPassword": "Change your password",
     "confirmPassword": "Confirm Password",
+    "invalidateActiveSessions": "Invalidate Active Sessions",
     "createAccount": "Create Account",
     "createMasterAdminAccount": "This is the first time you run Botpress. Please create the master admin account.",
     "currentPassword": "Current password",

diff --git a/packages/ui-admin/src/app/translations/es.json b/packages/ui-admin/src/app/translations/es.json
@@ -22,6 +22,7 @@
     "hideToken": "Ocultar token",
     "changeYourPassword": "Cambiar contraseña",
     "confirmPassword": "Confirmar contraseña",
+    "invalidateActiveSessions": "Invalidar sesiones activas",
     "createAccount": "Crear una cuenta",
     "createMasterAdminAccount": "Esta es la primera vez que ejecuta Botpress. Cree la cuenta de administrador principal.",
     "currentPassword": "Contraseña actual",

diff --git a/packages/ui-admin/src/app/translations/fr.json b/packages/ui-admin/src/app/translations/fr.json
@@ -23,6 +23,7 @@
     "hideToken": "Cacher le jeton",
     "changeYourPassword": "Changez votre mot de passe",
     "confirmPassword": "Confirmez le mot de passe",
+    "invalidateActiveSessions": "Invalider les sessions actives",
     "createAccount": "Créer un compte",
     "createMasterAdminAccount": "C'est la première fois que vous exécutez Botpress. Veuillez créer le compte administrateur principal.",
     "currentPassword": "Mot de passe actuel",

diff --git a/packages/ui-admin/src/user/UpdatePassword.tsx b/packages/ui-admin/src/user/UpdatePassword.tsx
@@ -1,4 +1,4 @@
-import { Button, Classes, Dialog, FormGroup, InputGroup, Intent } from '@blueprintjs/core'
+import { Button, Classes, Dialog, FormGroup, InputGroup, Intent, Checkbox } from '@blueprintjs/core'
 import { lang, toast, auth } from 'botpress/shared'
 import { UserProfile } from 'common/typings'
 import React, { FC, useState } from 'react'
@@ -15,6 +15,7 @@ const UpdatePassword: FC<Props> = props => {
   const [password, setPassword] = useState<string>('')
   const [newPassword, setNewPassword] = useState<string>('')
   const [confirmPassword, setConfirmPassword] = useState<string>('')
+  const [invalidateActiveSessions, setInvalidateActiveSessions] = useState<boolean>(false)
 
   const submit = async event => {
     event.preventDefault()
@@ -23,7 +24,16 @@ const UpdatePassword: FC<Props> = props => {
     const client = api.getSecured()
 
     try {
-      await client.post(`/admin/auth/login/${strategyType}/${strategy}`, { email, password, newPassword })
+      const { data } = await client.post(`/admin/auth/login/${strategyType}/${strategy}`, {
+        email,
+        password,
+        newPassword,
+        invalidateActiveSessions
+      })
+
+      if (invalidateActiveSessions) {
+        auth.setToken(data.payload)
+      }
 
       props.toggle()
       toast.success(lang.tr('admin.passwordUpdatedSuccessfully'))
@@ -91,6 +101,17 @@ const UpdatePassword: FC<Props> = props => {
             />
           </FormGroup>
           <PasswordStrengthMeter pwdCandidate={newPassword} />
+
+          <FormGroup>
+            <Checkbox
+              checked={invalidateActiveSessions}
+              onChange={() => {
+                setInvalidateActiveSessions(!invalidateActiveSessions)
+              }}
+            >
+              {lang.tr('admin.invalidateActiveSessions')}
+            </Checkbox>
+          </FormGroup>
         </div>
 
         <div className={Classes.DIALOG_FOOTER}>