From 96398faa3cad58cfbe3d81e8fec2fe09430e4dfe Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Wed, 28 Jul 2021 14:50:52 -0400
Subject: [PATCH] feat: plumb current session id into email
 removal/confirmation flow, so all other sessions are revoked except for the
 current session

This utilises the new argument in user.auth.revokeAllSessions
---
 src/user/email.js | 10 ++++++----
 src/user/index.js |  2 +-
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/user/email.js b/src/user/email.js
index f9a3a675b2..85162b8414 100644
--- a/src/user/email.js
+++ b/src/user/email.js
@@ -24,7 +24,7 @@ UserEmail.available = async function (email) {
 	return !exists;
 };
 
-UserEmail.remove = async function (uid) {
+UserEmail.remove = async function (uid, sessionId) {
 	const email = await user.getUserField(uid, 'email');
 	if (!email) {
 		return;
@@ -38,7 +38,7 @@ UserEmail.remove = async function (uid) {
 		db.sortedSetRemove('email:uid', email.toLowerCase()),
 		db.sortedSetRemove('email:sorted', `${email.toLowerCase()}:${uid}`),
 		user.email.expireValidation(uid),
-		user.auth.revokeAllSessions(uid),
+		user.auth.revokeAllSessions(uid, sessionId),
 		events.log({ type: 'email-change', email, newEmail: '' }),
 	]);
 };
@@ -137,7 +137,7 @@ UserEmail.sendValidationEmail = async function (uid, options) {
 };
 
 // confirm email by code sent by confirmation email
-UserEmail.confirmByCode = async function (code) {
+UserEmail.confirmByCode = async function (code, sessionId) {
 	const confirmObj = await db.getObject(`confirm:${code}`);
 	if (!confirmObj || !confirmObj.uid || !confirmObj.email) {
 		throw new Error('[[error:invalid-data]]');
@@ -145,7 +145,9 @@ UserEmail.confirmByCode = async function (code) {
 
 	const oldEmail = await user.getUserField(confirmObj.uid, 'email');
 	if (oldEmail && confirmObj.email !== oldEmail) {
-		UserEmail.remove(confirmObj.uid);
+		await UserEmail.remove(confirmObj.uid, sessionId);
+	} else {
+		await user.auth.revokeAllSessions(confirmObj.uid, sessionId);
 	}
 
 	await user.setUserField(confirmObj.uid, 'email', confirmObj.email);
diff --git a/src/user/index.js b/src/user/index.js
index c6d097d0cd..4111a0c391 100644
--- a/src/user/index.js
+++ b/src/user/index.js
@@ -279,7 +279,7 @@ User.addInterstitials = function (callback) {
 								}
 							} else {
 								// User explicitly clearing their email
-								await User.email.remove(userData.uid);
+								await User.email.remove(userData.uid, data.req.session.id);
 							}
 						} else {
 							// New registrants have the confirm email sent from user.create()