diff --git a/src/routes/oauth2.js b/src/routes/oauth2.js index 60976cb73..7908578a6 100644 --- a/src/routes/oauth2.js +++ b/src/routes/oauth2.js @@ -21,6 +21,7 @@ exports = module.exports = { var apps = require('../apps.js'), assert = require('assert'), + async = require('async'), authcodedb = require('../authcodedb.js'), BoxError = require('../boxerror.js'), clients = require('../clients'), @@ -275,10 +276,45 @@ function login(req, res) { // -> GET /api/v1/session/logout function logout(req, res) { - req.logout(); + function done() { + req.logout(); - if (req.query && req.query.redirect) res.redirect(req.query.redirect); - else res.redirect('/'); + if (req.query && req.query.redirect) res.redirect(req.query.redirect); + else res.redirect('/'); + } + + if (!req.query.all) return done(); + + // find and destroy all login sessions by this user - this got rather complex quickly + req.sessionStore.list(function (error, result) { + if (error) { + console.error('Error listing sessions', error); + return done(); + } + + // WARNING fix this if we change the storage backend - Great stuff! + var sessionIds = result.map(function(s) { return s.replace('.json', ''); }); + + async.each(sessionIds, function (id, callback) { + req.sessionStore.get(id, function (error, result) { + if (error) { + console.error(`Error getting session ${id}`, error); + return callback(); + } + + // ignore empty or non passport sessions + if (!result || !result.passport || !result.passport.user) return callback(); + + // not this user + if (result.passport.user !== req.user.id) return callback(); + + req.sessionStore.destroy(id, function (error) { + if (error) console.error(`Unable to destroy session ${id}`, error); + callback(); + }); + }); + }, done); + }); } // Form to enter email address to send a password reset request mail