Session not revoked when user password changes using Parse Dashboard

[anashalb]

Session is not being revoked when the user's password is changed from Parse Dashboard.

Code Ref
I noticed that the condition being checked is: if (this.query && !this.auth.isMaster), which means only non-Master authentication would allow sessions to be revoked. What about when master authentication is changing the user's password (e.g. Parse Dashboard)

Steps to reproduce

1. Create a user in dashboard.
2. Login the user using a rest call, which generates a session for the user.
3. Go to dashboard and change the user's password.
4. Observe that the Session for that user is not revoked.

Expected Results

According to the Parse Server defaults, the session is supposed to be revoked.

Actual Outcome

The session is not being revoked

Environment Setup

• Server

  • parse-server version (Be specific! Don't say 'latest'.) : 2.2.24
  • Operating System: MacOS
  • Hardware:
  • Localhost or remote server? Localhost

• Database

  • MongoDB version: v3.2.1
  • Storage engine: WiredTiger
  • Localhost or remote server? Localhost

[sricharan123]

same issue raised, i got the same problem. issue #3265 .

[flovilmart]

@anashalb thanks for the info.

I'll fix this behaviour which is not intended.

• _sessions will be clean up when password is updated
• a new session will be created only if the user is not master

[pjbrigden]

Hey guys, do you think this issue will be resolved in the next Parse Server release? Keep up the good work!

[flovilmart]

This has been merged and released, please re-open the issue if tis persists.