From 9fc028b3d784a79fa7b4a7de8c28847e08f47167 Mon Sep 17 00:00:00 2001
From: Luke Pulverenti <luke.pulverenti@gmail.com>
Date: Sun, 5 Jun 2016 16:39:37 -0400
Subject: [PATCH] revoke access tokens on password change

---
 MediaBrowser.Api/UserService.cs                          | 9 +++++++--
 MediaBrowser.Controller/Session/ISessionManager.cs       | 3 +--
 .../Session/SessionManager.cs                            | 7 +++++--
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/MediaBrowser.Api/UserService.cs b/MediaBrowser.Api/UserService.cs
index 9b611c3971..07ff36c41f 100644
--- a/MediaBrowser.Api/UserService.cs
+++ b/MediaBrowser.Api/UserService.cs
@@ -385,7 +385,7 @@ namespace MediaBrowser.Api
                 throw new ResourceNotFoundException("User not found");
             }
 
-            await _sessionMananger.RevokeUserTokens(user.Id.ToString("N")).ConfigureAwait(false);
+            await _sessionMananger.RevokeUserTokens(user.Id.ToString("N"), null).ConfigureAwait(false);
 
             await _userManager.DeleteUser(user).ConfigureAwait(false);
         }
@@ -465,6 +465,10 @@ namespace MediaBrowser.Api
                 }
 
                 await _userManager.ChangePassword(user, request.NewPassword).ConfigureAwait(false);
+
+                var currentToken = AuthorizationContext.GetAuthorizationInfo(Request).Token;
+
+                await _sessionMananger.RevokeUserTokens(user.Id.ToString("N"), currentToken).ConfigureAwait(false);
             }
         }
 
@@ -602,7 +606,8 @@ namespace MediaBrowser.Api
                     throw new ArgumentException("There must be at least one enabled user in the system.");
                 }
 
-                await _sessionMananger.RevokeUserTokens(user.Id.ToString("N")).ConfigureAwait(false);
+                var currentToken = AuthorizationContext.GetAuthorizationInfo(Request).Token;
+                await _sessionMananger.RevokeUserTokens(user.Id.ToString("N"), currentToken).ConfigureAwait(false);
             }
 
             await _userManager.UpdateUserPolicy(request.Id, request).ConfigureAwait(false);
diff --git a/MediaBrowser.Controller/Session/ISessionManager.cs b/MediaBrowser.Controller/Session/ISessionManager.cs
index fa74c57499..6659d15530 100644
--- a/MediaBrowser.Controller/Session/ISessionManager.cs
+++ b/MediaBrowser.Controller/Session/ISessionManager.cs
@@ -315,9 +315,8 @@ namespace MediaBrowser.Controller.Session
         /// <summary>
         /// Revokes the user tokens.
         /// </summary>
-        /// <param name="userId">The user identifier.</param>
         /// <returns>Task.</returns>
-        Task RevokeUserTokens(string userId);
+        Task RevokeUserTokens(string userId, string currentAccessToken);
 
         /// <summary>
         /// Revokes the token.
diff --git a/MediaBrowser.Server.Implementations/Session/SessionManager.cs b/MediaBrowser.Server.Implementations/Session/SessionManager.cs
index 4386b785ad..098fe0b4d5 100644
--- a/MediaBrowser.Server.Implementations/Session/SessionManager.cs
+++ b/MediaBrowser.Server.Implementations/Session/SessionManager.cs
@@ -1451,7 +1451,7 @@ namespace MediaBrowser.Server.Implementations.Session
             }
         }
 
-        public async Task RevokeUserTokens(string userId)
+        public async Task RevokeUserTokens(string userId, string currentAccessToken)
         {
             var existing = _authRepo.Get(new AuthenticationInfoQuery
             {
@@ -1461,7 +1461,10 @@ namespace MediaBrowser.Server.Implementations.Session
 
             foreach (var info in existing.Items)
             {
-                await Logout(info.AccessToken).ConfigureAwait(false);
+                if (!string.Equals(currentAccessToken, info.AccessToken, StringComparison.OrdinalIgnoreCase))
+                {
+                    await Logout(info.AccessToken).ConfigureAwait(false);
+                }
             }
         }