From 467283d5e0769bd18571941e5d3c4426e51f3896 Mon Sep 17 00:00:00 2001
From: Johannes Zellner <johannes@cloudron.io>
Date: Fri, 8 Nov 2019 21:14:12 +0100
Subject: [PATCH] Destroy all session by a user if wanted

---
 src/routes/oauth2.js | 42 +++++++++++++++++++++++++++++++++++++++---
 1 file changed, 39 insertions(+), 3 deletions(-)

diff --git a/src/routes/oauth2.js b/src/routes/oauth2.js
index 60976cb73..7908578a6 100644
--- a/src/routes/oauth2.js
+++ b/src/routes/oauth2.js
@@ -21,6 +21,7 @@ exports = module.exports = {
 
 var apps = require('../apps.js'),
     assert = require('assert'),
+    async = require('async'),
     authcodedb = require('../authcodedb.js'),
     BoxError = require('../boxerror.js'),
     clients = require('../clients'),
@@ -275,10 +276,45 @@ function login(req, res) {
 
 // -> GET /api/v1/session/logout
 function logout(req, res) {
-    req.logout();
+    function done() {
+        req.logout();
 
-    if (req.query && req.query.redirect) res.redirect(req.query.redirect);
-    else res.redirect('/');
+        if (req.query && req.query.redirect) res.redirect(req.query.redirect);
+        else res.redirect('/');
+    }
+
+    if (!req.query.all) return done();
+
+    // find and destroy all login sessions by this user - this got rather complex quickly
+    req.sessionStore.list(function (error, result) {
+        if (error) {
+            console.error('Error listing sessions', error);
+            return done();
+        }
+
+        // WARNING fix this if we change the storage backend - Great stuff!
+        var sessionIds = result.map(function(s) { return s.replace('.json', ''); });
+
+        async.each(sessionIds, function (id, callback) {
+            req.sessionStore.get(id, function (error, result) {
+                if (error) {
+                    console.error(`Error getting session ${id}`, error);
+                    return callback();
+                }
+
+                // ignore empty or non passport sessions
+                if (!result || !result.passport || !result.passport.user) return callback();
+
+                // not this user
+                if (result.passport.user !== req.user.id) return callback();
+
+                req.sessionStore.destroy(id, function (error) {
+                    if (error) console.error(`Unable to destroy session ${id}`, error);
+                    callback();
+                });
+            });
+        }, done);
+    });
 }
 
 // Form to enter email address to send a password reset request mail