Allow updating password without logging out sessions via admin api

[jcgruenhage]

It'd be helpful to allow resetting passwords for users without logging them out of all of their sessions. When a user doesn't have their security key saved properly, as many do, this will prevent them from loosing access to their message history. What I'd imagine is a query parameter for the user update endpoint, that allows choosing between no logout at all, a soft-logout and a real logout, with the default being the real logout to not have a breaking change there.

I think a soft-logout is probably always the desired thing to do here, but there's also cases where no logout at all is the best option.

For additional context: Awesome-Technologies/synapse-admin#268

[clokep]

This is possible for the client endpoint (see MSC2457), so all the infrastructure should be there.

It looks like we just need to read logout_devices from the JSON body instead of hard-coding to true:

synapse/synapse/rest/admin/users.py

Lines 307 to 316 in e24ff8e

	if password is not None:
	logout_devices = True
	new_password_hash = await self.auth_handler.hash(password)
	await self.set_password_handler.set_password(
	target_user.to_string(),
	new_password_hash,
	logout_devices,
	requester,
	)

[dklimpel]

It is also possible with this endpoint: https://matrix-org.github.io/synapse/latest/admin_api/user_admin_api.html#reset-password

[jcgruenhage]

So, while this doesn't include the option to soft-logout, I've opened #12952 to at least brings it to the same state as the reset-password and regular client-server password changing API.