From f00547de095ea6aafe9e0054dbf700fb69df33af Mon Sep 17 00:00:00 2001
From: Joseph Ditton <jditton.atomic@gmail.com>
Date: Mon, 6 Dec 2021 17:57:04 -0700
Subject: destroy all user refresh tokens on logout

---
 server/controllers/sessions.controller.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'server/controllers/sessions.controller.ts')

diff --git a/server/controllers/sessions.controller.ts b/server/controllers/sessions.controller.ts
index e1d1155..8a85a12 100644
--- a/server/controllers/sessions.controller.ts
+++ b/server/controllers/sessions.controller.ts
@@ -8,6 +8,8 @@ import { RefreshToken } from 'server/entities/refresh_token.entity';
 import { Skip } from 'server/decorators/skip.decorator';
 import { AuthGuard } from 'server/providers/guards/auth.guard';
 import { RolesService } from 'server/providers/services/roles.service';
+import { JwtBody } from 'server/decorators/jwt_body.decorator';
+import { JwtBodyDto } from 'server/dto/jwt_body.dto';
 
 // this is kind of a misnomer because we are doing token based auth
 // instead of session based auth
@@ -53,7 +55,9 @@ export class SessionsController {
   }
 
   @Delete('/sessions')
-  async destroy(@Res({ passthrough: true }) res: Response) {
+  async destroy(@Res({ passthrough: true }) res: Response, @JwtBody() jwtBody: JwtBodyDto) {
+    const user = await this.usersService.find(jwtBody.userId, ['refreshTokens']);
+    await this.refreshTokenService.destroy(...user.refreshTokens);
     res.clearCookie('_refresh_token');
     return { success: true };
   }
-- 
cgit v1.2.3-70-g09d2