feat(security): #328 delete old sessions for change and forgot password

db/auth.go

@@ -100,6 +100,7 @@ type Auth interface {
 
 	InsertSession(session *Session) error
 	GetSession(sessionId string) (*Session, error)
+	GetSessions(userId uuid.UUID) ([]*Session, error)
 	DeleteSession(sessionId string) error
 	DeleteOldSessions(userId uuid.UUID) error
 }
@@ -416,9 +417,44 @@ func (db AuthSqlite) GetSession(sessionId string) (*Session, error) {
 	return NewSession(sessionId, userId, createdAt, expiresAt), nil
 }
 
+func (db AuthSqlite) GetSessions(userId uuid.UUID) ([]*Session, error) {
+
+	sessions, err := db.db.Query(`
+			SELECT session_id, created_at, expires_at
+			FROM session 
+			WHERE user_id = ?`, userId)
+	if err != nil {
+		log.Error("Could not get sessions: %v", err)
+		return nil, types.ErrInternal
+	}
+
+	var result []*Session
+
+	for sessions.Next() {
+		var (
+			sessionId string
+			createdAt time.Time
+			expiresAt time.Time
+		)
+
+		err := sessions.Scan(&sessionId, &createdAt, &expiresAt)
+		if err != nil {
+			log.Error("Could not scan session: %v", err)
+			return nil, types.ErrInternal
+		}
+
+		session := NewSession(sessionId, userId, createdAt, expiresAt)
+		result = append(result, session)
+	}
+
+	return result, nil
+}
+
 func (db AuthSqlite) DeleteOldSessions(userId uuid.UUID) error {
-	// Delete old inactive sessions
+	_, err := db.db.Exec(`
-	_, err := db.db.Exec("DELETE FROM session WHERE created_at < datetime('now','-8 hours') AND user_id = ?", userId)
+		DELETE FROM session 
+		WHERE expires_at < datetime('now')
+		  AND user_id = ?`, userId)
 	if err != nil {
 		log.Error("Could not delete old sessions: %v", err)
 		return types.ErrInternal

handler/auth.go

@@ -48,9 +48,9 @@ func (handler AuthImpl) Handle(router *http.ServeMux) {
 	router.Handle("/auth/change-password", handler.handleChangePasswordPage())
 	router.Handle("/api/auth/change-password", handler.handleChangePasswordComp())
 
-	router.Handle("/auth/reset-password", handler.handleResetPasswordPage())
+	router.Handle("/auth/forgot-password", handler.handleForgotPasswordPage())
-	router.Handle("/api/auth/reset-password", handler.handleForgotPasswordComp())
+	router.Handle("/api/auth/forgot-password", handler.handleForgotPasswordComp())
-	router.Handle("/api/auth/reset-password-actual", handler.handleForgotPasswordResponseComp())
+	router.Handle("/api/auth/forgot-password-actual", handler.handleForgotPasswordResponseComp())
 }
 
 var (
@@ -93,12 +93,10 @@ func (handler AuthImpl) handleSignIn() http.HandlerFunc {
 		})
 
 		if err != nil {
-			if err == service.ErrInvaidCredentials {
+			if err == service.ErrInvalidCredentials {
-				utils.TriggerToast(w, r, "error", "Invalid email or password")
+				utils.TriggerToast(w, r, "error", "Invalid email or password", http.StatusUnauthorized)
-				http.Error(w, "Invalid email or password", http.StatusUnauthorized)
 			} else {
-				log.Error("Error signing in: %v", err)
+				utils.TriggerToast(w, r, "error", "An error occurred", http.StatusInternalServerError)
-				http.Error(w, "An error occurred", http.StatusInternalServerError)
 			}
 			return
 		}
@@ -198,16 +196,16 @@ func (handler AuthImpl) handleSignUp() http.HandlerFunc {
 
 		if err != nil {
 			if errors.Is(err, types.ErrInternal) {
-				utils.TriggerToast(w, r, "error", "An error occurred")
+				utils.TriggerToast(w, r, "error", "An error occurred", http.StatusInternalServerError)
 				return
 			} else if errors.Is(err, service.ErrInvalidEmail) {
-				utils.TriggerToast(w, r, "error", "The email provided is invalid")
+				utils.TriggerToast(w, r, "error", "The email provided is invalid", http.StatusBadRequest)
 				return
 			}
 			// If the "service.ErrAccountExists", then just continue
 		}
 
-		utils.TriggerToast(w, r, "success", "A link to activate your account has been emailed to the address provided.")
+		utils.TriggerToast(w, r, "success", "A link to activate your account has been emailed to the address provided.", http.StatusOK)
 	}
 }
 
@@ -261,15 +259,13 @@ func (handler AuthImpl) handleDeleteAccountComp() http.HandlerFunc {
 
 		password := r.FormValue("password")
 
-		_, err := handler.service.SignIn(user.Email, password)
+		err := handler.service.DeleteAccount(user, password)
 		if err != nil {
-			utils.TriggerToast(w, r, "error", "Password not correct")
+			if err == service.ErrInvalidCredentials {
-			return
+				utils.TriggerToast(w, r, "error", "Password not correct", http.StatusUnauthorized)
+			} else {
+				utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError)
 			}
-
-		err = handler.service.DeleteAccount(user)
-		if err != nil {
-			utils.TriggerToast(w, r, "error", "Internal Server Error")
 			return
 		}
 
@@ -297,8 +293,8 @@ func (handler AuthImpl) handleChangePasswordPage() http.HandlerFunc {
 func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 
-		user := middleware.GetUser(r)
+		session := middleware.GetSession(r)
-		if user == nil {
+		if session == nil || session.User == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
@@ -306,22 +302,22 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
 		currPass := r.FormValue("current-password")
 		newPass := r.FormValue("new-password")
 
-		err := handler.service.ChangePassword(user, currPass, newPass)
+		err := handler.service.ChangePassword(session, currPass, newPass)
 		if err != nil {
-			utils.TriggerToast(w, r, "error", "Password not correct")
+			utils.TriggerToast(w, r, "error", "Password not correct", http.StatusUnauthorized)
 			return
 		}
 
-		utils.TriggerToast(w, r, "success", "Password changed")
+		utils.TriggerToast(w, r, "success", "Password changed", http.StatusOK)
 	}
 }
 
-func (handler AuthImpl) handleResetPasswordPage() http.HandlerFunc {
+func (handler AuthImpl) handleForgotPasswordPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 
 		user := middleware.GetUser(r)
-		if user == nil {
+		if user != nil {
-			utils.DoRedirect(w, r, "/auth/signin")
+			utils.DoRedirect(w, r, "/")
 			return
 		}
 
@@ -335,15 +331,19 @@ func (handler AuthImpl) handleForgotPasswordComp() http.HandlerFunc {
 
 		email := r.FormValue("email")
 		if email == "" {
-			utils.TriggerToast(w, r, "error", "Please enter an email")
+			utils.TriggerToast(w, r, "error", "Please enter an email", http.StatusBadRequest)
 			return
 		}
 
+		_, err := utils.WaitMinimumTime(securityWaitDuration, func() (interface{}, error) {
 			err := handler.service.SendForgotPasswordMail(email)
+			return nil, err
+		})
+
 		if err != nil {
-			utils.TriggerToast(w, r, "error", "Internal Server Error")
+			utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError)
 		} else {
-			utils.TriggerToast(w, r, "info", "If the email exists, an email has been sent")
+			utils.TriggerToast(w, r, "info", "If the email exists, an email has been sent", http.StatusOK)
 		}
 	}
 }
@@ -354,23 +354,18 @@ func (handler AuthImpl) handleForgotPasswordResponseComp() http.HandlerFunc {
 		pageUrl, err := url.Parse(r.Header.Get("HX-Current-URL"))
 		if err != nil {
 			log.Error("Could not get current URL: %v", err)
-			utils.TriggerToast(w, r, "error", "Internal Server Error")
+			utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError)
 			return
 		}
 
 		token := pageUrl.Query().Get("token")
-		if token == "" {
-			utils.TriggerToast(w, r, "error", "No token")
-			return
-		}
-
 		newPass := r.FormValue("new-password")
 
 		err = handler.service.ForgotPassword(token, newPass)
 		if err != nil {
-			utils.TriggerToast(w, r, "error", err.Error())
+			utils.TriggerToast(w, r, "error", err.Error(), http.StatusInternalServerError)
 		} else {
-			utils.TriggerToast(w, r, "success", "Password changed")
+			utils.TriggerToast(w, r, "success", "Password changed", http.StatusOK)
 		}
 	}
 }

handler/middleware/cross_site_request_forgery.go

@@ -61,7 +61,9 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler
 				}
 			}
 
-			if session == nil && (strings.Contains(r.RequestURI, "/auth/signup") || strings.Contains(r.RequestURI, "/auth/signin")) {
+			// Always sign in anonymous
+			// This way, there is no way to forget creating a csrf token
+			if session == nil {
 				session, _ = auth.SignInAnonymous()
 
 				cookie := CreateSessionCookie(session.Id)

handler/middleware/security_headers.go

@@ -14,13 +14,13 @@ func SecurityHeaders(serverSettings *types.Settings) func(http.Handler) http.Han
 			w.Header().Set("Access-Control-Allow-Origin", serverSettings.BaseUrl)
 			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE")
 			w.Header().Set("Content-Security-Policy",
-				"default-src 'none';"+
+				"default-src 'none'; "+
-					"script-src 'self' https://umami.me-fit.eu"+
+					"script-src 'self' https://umami.me-fit.eu; "+
-					"connect-src 'self' https://umami.me-fit.eu"+
+					"connect-src 'self' https://umami.me-fit.eu; "+
-					"img-src 'self'"+
+					"img-src 'self'; "+
-					"style-src 'self'"+
+					"style-src 'self'; "+
-					"form-action 'self'"+
+					"form-action 'self'; "+
-					"frame-ancestors 'none'",
+					"frame-ancestors 'none'; ",
 			)
 			w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
 			w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")

handler/workout.go

@@ -2,7 +2,6 @@ package handler
 
 import (
 	"me-fit/handler/middleware"
-	"me-fit/log"
 	"me-fit/service"
 	"me-fit/template/workout"
 	"me-fit/utils"
@@ -67,7 +66,7 @@ func (handler WorkoutImpl) handleAddWorkout() http.HandlerFunc {
 		wo := service.NewWorkoutDto("", dateStr, typeStr, setsStr, repsStr)
 		wo, err := handler.service.AddWorkout(session.User, wo)
 		if err != nil {
-			utils.TriggerToast(w, r, "error", "Invalid input values")
+			utils.TriggerToast(w, r, "error", "Invalid input values", http.StatusBadRequest)
 			http.Error(w, "Invalid input values", http.StatusBadRequest)
 			return
 		}
@@ -111,25 +110,19 @@ func (handler WorkoutImpl) handleDeleteWorkout() http.HandlerFunc {
 
 		rowId := r.PathValue("id")
 		if rowId == "" {
-			http.Error(w, "Missing required fields", http.StatusBadRequest)
+			utils.TriggerToast(w, r, "error", "Missing ID field", http.StatusBadRequest)
-			log.Warn("Missing required fields for workout delete")
-			utils.TriggerToast(w, r, "error", "Missing ID field")
 			return
 		}
 
 		rowIdInt, err := strconv.Atoi(rowId)
 		if err != nil {
-			http.Error(w, "Invalid ID", http.StatusBadRequest)
+			utils.TriggerToast(w, r, "error", "Invalid ID", http.StatusBadRequest)
-			log.Warn("Invalid ID for workout delete")
-			utils.TriggerToast(w, r, "error", "Invalid ID")
 			return
 		}
 
 		err = handler.service.DeleteWorkout(session.User, rowIdInt)
 		if err != nil {
-			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+			utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError)
-			log.Error("Could not delete workout: %v", err.Error())
-			utils.TriggerToast(w, r, "error", "Internal Server Error")
 			return
 		}
 	}

less

@@ -1,28 +0,0 @@
-
-  __    _   ___  
- / /\  | | | |_) 
-/_/--\ |_| |_| \_ v1.52.3, built with Go go1.22.5
-
-mkdir /home/tiwun/source/me-fit/tmp
-watching .
-watching db
-watching handler
-watching handler/middleware
-watching log
-watching migration
-watching mocks
-!exclude node_modules
-watching service
-!exclude static
-watching template
-watching template/auth
-watching template/mail
-watching template/workout
-!exclude tmp
-watching types
-watching utils
-building...
-(✓) Complete [ updates=12 duration=10.258748ms ]
-cleaning...
-deleting /home/tiwun/source/me-fit/tmp
-see you again~

main_test.go

@@ -11,6 +11,7 @@ import (
 	"testing"
 	"time"
 
+	"me-fit/db"
 	"me-fit/service"
 	"me-fit/types"
 
@@ -81,13 +82,13 @@ func TestIntegrationSecurityHeader(t *testing.T) {
 		assert.Equal(t, "GET, POST, DELETE", value)
 
 		value = resp.Header.Get("Content-Security-Policy")
-		assert.Equal(t, "default-src 'none';"+
+		assert.Equal(t, "default-src 'none'; "+
-			"script-src 'self' https://umami.me-fit.eu"+
+			"script-src 'self' https://umami.me-fit.eu; "+
-			"connect-src 'self' https://umami.me-fit.eu"+
+			"connect-src 'self' https://umami.me-fit.eu; "+
-			"img-src 'self'"+
+			"img-src 'self'; "+
-			"style-src 'self'"+
+			"style-src 'self'; "+
-			"form-action 'self'"+
+			"form-action 'self'; "+
-			"frame-ancestors 'none'", value)
+			"frame-ancestors 'none';", value)
 
 		value = resp.Header.Get("Cross-Origin-Resource-Policy")
 		assert.Equal(t, "same-origin", value)
@@ -159,6 +160,138 @@ func TestIntegrationAuth(t *testing.T) {
 		assert.True(t, cookie.HttpOnly, "Cookie is not secure")
 		assert.True(t, cookie.Secure, "Cookie is not secure")
 	})
+	t.Run("should change password and invalidate other sessions from user", func(t *testing.T) {
+		t.Parallel()
+
+		db, basePath, ctx := setupIntegrationTest(t)
+		userId := uuid.New()
+		userIdOther := uuid.New()
+
+		pass := service.GetHashPassword("password", []byte("salt"))
+		_, err := db.Exec(`
+			INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+			VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+
+		sessionId := "session-id"
+		assert.Nil(t, err)
+		_, err = db.Exec(`
+			INSERT INTO session (session_id, user_id, created_at, expires_at)
+			VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
+		assert.Nil(t, err)
+		_, err = db.Exec(`
+			INSERT INTO session (session_id, user_id, created_at, expires_at)
+			VALUES ("second", ?, datetime(), datetime("now", "+1 day"))`, userId)
+		assert.Nil(t, err)
+		_, err = db.Exec(`
+			INSERT INTO session (session_id, user_id, created_at, expires_at)
+			VALUES ("other", ?, datetime(), datetime("now", "+1 day"))`, userIdOther)
+		assert.Nil(t, err)
+
+		req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil)
+		assert.Nil(t, err)
+		req.Header.Set("Cookie", "id="+sessionId)
+		resp, err := httpClient.Do(req)
+		assert.Nil(t, err)
+
+		html, err := html.Parse(resp.Body)
+		assert.Nil(t, err)
+
+		csrfToken := findCsrfToken(html)
+		assert.NotEqual(t, "", csrfToken)
+
+		formData := url.Values{
+			"current-password": {"password"},
+			"new-password":     {"MyNewSecurePassword1!"},
+			"csrf-token":       {csrfToken},
+		}
+
+		req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
+		assert.Nil(t, err)
+		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+		req.Header.Set("Cookie", "id="+sessionId)
+		req.Header.Set("HX-Request", "true")
+		resp, err = httpClient.Do(req)
+		assert.Nil(t, err)
+
+		assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+		var sessionIds []string
+		sessions, err := db.Query(`SELECT session_id FROM session WHERE NOT user_id = ? ORDER BY session_id`, uuid.Nil)
+		assert.Nil(t, err)
+		for sessions.Next() {
+			var sessionId string
+			err = sessions.Scan(&sessionId)
+			assert.Nil(t, err)
+			sessionIds = append(sessionIds, sessionId)
+		}
+
+		assert.Equal(t, 2, len(sessionIds))
+		assert.Equal(t, "other", sessionIds[0])
+		assert.Equal(t, "session-id", sessionIds[1])
+	})
+	t.Run("should forget password and invalidate all user sessions", func(t *testing.T) {
+		t.Parallel()
+
+		d, basePath, ctx := setupIntegrationTest(t)
+		userId := uuid.New()
+
+		pass := service.GetHashPassword("password", []byte("salt"))
+		_, err := d.Exec(`
+			INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+			VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+
+		assert.Nil(t, err)
+		_, err = d.Exec(`
+			INSERT INTO session (session_id, user_id, created_at, expires_at)
+			VALUES ("session-id", ?, datetime(), datetime("now", "+1 day"))`, userId)
+		assert.Nil(t, err)
+
+		req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/forgot-password", nil)
+		assert.Nil(t, err)
+		resp, err := httpClient.Do(req)
+		assert.Nil(t, err)
+
+		sessionId := findCookie(resp, "id").Value
+		html, err := html.Parse(resp.Body)
+		assert.Nil(t, err)
+		csrfToken := findCsrfToken(html)
+		assert.NotEqual(t, "", csrfToken)
+
+		formData := url.Values{
+			"email":      {"mail@mail.de"},
+			"csrf-token": {csrfToken},
+		}
+		req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/forgot-password", strings.NewReader(formData.Encode()))
+		assert.Nil(t, err)
+		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+		req.Header.Set("Cookie", "id="+sessionId)
+		req.Header.Set("HX-Request", "true")
+		resp, err = httpClient.Do(req)
+		assert.Nil(t, err)
+		assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+		var token string
+		err = d.QueryRow("SELECT token FROM token WHERE type = ?", db.TokenTypePasswordReset).Scan(&token)
+		assert.Nil(t, err)
+
+		formData = url.Values{
+			"new-password": {"MyNewSecurePassword1!"},
+			"csrf-token":   {csrfToken},
+		}
+		req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/forgot-password-actual", strings.NewReader(formData.Encode()))
+		assert.Nil(t, err)
+		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+		req.Header.Set("Cookie", "id="+sessionId)
+		req.Header.Set("HX-Request", "true")
+		req.Header.Set("HX-Current-URL", basePath+"/auth/change-password?token="+url.QueryEscape(token))
+		resp, err = httpClient.Do(req)
+		assert.Nil(t, err)
+		assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+		sessions, err := d.Query("SELECT session_id FROM session WHERE user_id = ?", userId)
+		assert.Nil(t, err)
+		assert.False(t, sessions.Next())
+	})
 }
 
 func findCookie(resp *http.Response, name string) *http.Cookie {

service/auth.go

@@ -18,11 +18,12 @@ import (
 )
 
 var (
-	ErrInvaidCredentials = errors.New("invalid email or password")
+	ErrInvalidCredentials = errors.New("invalid email or password")
 	ErrInvalidPassword    = errors.New("password needs to be 8 characters long, contain at least one number, one special, one uppercase and one lowercase character")
 	ErrInvalidEmail       = errors.New("invalid email")
 	ErrAccountExists      = errors.New("account already exists")
 	ErrSessionIdInvalid   = errors.New("session ID is invalid")
+	ErrTokenInvalid       = errors.New("token is invalid")
 )
 
 type User struct {
@@ -65,9 +66,9 @@ type Auth interface {
 	SignInAnonymous() (*Session, error)
 	SignOut(sessionId string) error
 
-	DeleteAccount(user *User) error
+	DeleteAccount(user *User, currPass string) error
 
-	ChangePassword(user *User, currPass, newPass string) error
+	ChangePassword(session *Session, currPass, newPass string) error
 
 	SendForgotPasswordMail(email string) error
 	ForgotPassword(token string, newPass string) error
@@ -98,7 +99,7 @@ func (service AuthImpl) SignIn(email string, password string) (*Session, error)
 	user, err := service.db.GetUserByEmail(email)
 	if err != nil {
 		if errors.Is(err, db.ErrNotFound) {
-			return nil, ErrInvaidCredentials
+			return nil, ErrInvalidCredentials
 		} else {
 			return nil, types.ErrInternal
 		}
@@ -107,7 +108,7 @@ func (service AuthImpl) SignIn(email string, password string) (*Session, error)
 	hash := GetHashPassword(password, user.Salt)
 
 	if subtle.ConstantTimeCompare(hash, user.Password) == 0 {
-		return nil, ErrInvaidCredentials
+		return nil, ErrInvalidCredentials
 	}
 
 	session, err := service.createSession(user.Id)
@@ -297,9 +298,19 @@ func (service AuthImpl) SignOut(sessionId string) error {
 	return service.db.DeleteSession(sessionId)
 }
 
-func (service AuthImpl) DeleteAccount(user *User) error {
+func (service AuthImpl) DeleteAccount(user *User, currPass string) error {
 
-	err := service.db.DeleteUser(user.Id)
+	userDb, err := service.db.GetUser(user.Id)
+	if err != nil {
+		return types.ErrInternal
+	}
+
+	currHash := GetHashPassword(currPass, userDb.Salt)
+	if subtle.ConstantTimeCompare(currHash, userDb.Password) == 0 {
+		return ErrInvalidCredentials
+	}
+
+	err = service.db.DeleteUser(user.Id)
 	if err != nil {
 		return err
 	}
@@ -309,7 +320,7 @@ func (service AuthImpl) DeleteAccount(user *User) error {
 	return nil
 }
 
-func (service AuthImpl) ChangePassword(user *User, currPass, newPass string) error {
+func (service AuthImpl) ChangePassword(session *Session, currPass, newPass string) error {
 
 	if !isPasswordValid(newPass) {
 		return ErrInvalidPassword
@@ -319,18 +330,18 @@ func (service AuthImpl) ChangePassword(user *User, currPass, newPass string) err
 		return ErrInvalidPassword
 	}
 
-	_, err := service.SignIn(user.Email, currPass)
+	userDb, err := service.db.GetUser(session.User.Id)
 	if err != nil {
 		return err
 	}
 
-	userDb, err := service.db.GetUser(user.Id)
+	currHash := GetHashPassword(currPass, userDb.Salt)
-	if err != nil {
+
-		return err
+	if subtle.ConstantTimeCompare(currHash, userDb.Password) == 0 {
+		return ErrInvalidCredentials
 	}
 
 	newHash := GetHashPassword(newPass, userDb.Salt)
-
 	userDb.Password = newHash
 
 	err = service.db.UpdateUser(userDb)
@@ -338,11 +349,23 @@ func (service AuthImpl) ChangePassword(user *User, currPass, newPass string) err
 		return err
 	}
 
+	sessions, err := service.db.GetSessions(userDb.Id)
+	if err != nil {
+		return types.ErrInternal
+	}
+	for _, s := range sessions {
+		if s.Id != session.Id {
+			err = service.db.DeleteSession(s.Id)
+			if err != nil {
+				return types.ErrInternal
+			}
+		}
+	}
+
 	return nil
 }
 
 func (service AuthImpl) SendForgotPasswordMail(email string) error {
-
 	tokenStr, err := service.random.String(32)
 	if err != nil {
 		return err
@@ -383,7 +406,7 @@ func (service AuthImpl) ForgotPassword(tokenStr string, newPass string) error {
 
 	token, err := service.db.GetToken(tokenStr)
 	if err != nil {
-		return err
+		return ErrTokenInvalid
 	}
 
 	err = service.db.DeleteToken(tokenStr)
@@ -391,6 +414,11 @@ func (service AuthImpl) ForgotPassword(tokenStr string, newPass string) error {
 		return err
 	}
 
+	if token.Type != db.TokenTypePasswordReset ||
+		token.ExpiresAt.Before(service.clock.Now()) {
+		return ErrTokenInvalid
+	}
+
 	user, err := service.db.GetUser(token.UserId)
 	if err != nil {
 		log.Error("Could not get user from token: %v", err)
@@ -405,6 +433,18 @@ func (service AuthImpl) ForgotPassword(tokenStr string, newPass string) error {
 		return err
 	}
 
+	sessions, err := service.db.GetSessions(user.Id)
+	if err != nil {
+		return types.ErrInternal
+	}
+
+	for _, session := range sessions {
+		err = service.db.DeleteSession(session.Id)
+		if err != nil {
+			return types.ErrInternal
+		}
+	}
+
 	return nil
 }
 

service/auth_test.go

@@ -80,7 +80,7 @@ func TestSignIn(t *testing.T) {
 
 		_, err := underTest.SignIn("test@test.de", "wrong password")
 
-		assert.Equal(t, ErrInvaidCredentials, err)
+		assert.Equal(t, ErrInvalidCredentials, err)
 	})
 	t.Run("should return ErrInvalidCretentials if user has not been found", func(t *testing.T) {
 		t.Parallel()
@@ -94,7 +94,7 @@ func TestSignIn(t *testing.T) {
 		underTest := NewAuthImpl(mockAuthDb, mockRandom, mockClock, mockMail, &types.Settings{})
 
 		_, err := underTest.SignIn("test", "test")
-		assert.Equal(t, ErrInvaidCredentials, err)
+		assert.Equal(t, ErrInvalidCredentials, err)
 	})
 	t.Run("should forward ErrInternal on any other error", func(t *testing.T) {
 		t.Parallel()

template/auth/change_password.templ

@@ -4,7 +4,7 @@ templ ChangePasswordComp(isPasswordReset bool) {
 	<form
 		class="max-w-xl px-2 mx-auto flex flex-col gap-4 h-full justify-center"
 		if isPasswordReset {
-			hx-post="/api/auth/reset-password-actual"
+			hx-post="/api/auth/forgot-password-actual"
 		} else {
 			hx-post="/api/auth/change-password"
 		}

template/auth/reset_password.templ

@@ -3,7 +3,7 @@ package auth
 templ ResetPasswordComp() {
 	<form
 		class="max-w-xl px-2 mx-auto flex flex-col gap-4 h-full justify-center"
-		hx-post="/api/auth/reset-password"
+		hx-post="/api/auth/forgot-password"
 		hx-swap="none"
 	>
 		<h2 class="text-6xl mb-10">

template/auth/sign_in_or_up.templ

@@ -62,7 +62,7 @@ if isSignIn {
 		</label>
 		<div class="flex justify-end items-center gap-2">
 			if isSignIn {
-				<a href="/auth/reset-password" class="grow link text-gray-500 text-sm">Forgot Password?</a>
+				<a href="/auth/forgot-password" class="grow link text-gray-500 text-sm">Forgot Password?</a>
 				<a href="/auth/signup" class="link text-gray-500 text-sm">Don't have an account? Sign Up</a>
 				<button class="btn btn-primary">
 					Sign In

utils/http.go

@@ -8,9 +8,10 @@ import (
 	"time"
 )
 
-func TriggerToast(w http.ResponseWriter, r *http.Request, class string, message string) {
+func TriggerToast(w http.ResponseWriter, r *http.Request, class string, message string, statusCode int) {
 	if isHtmx(r) {
 		w.Header().Set("HX-Trigger", fmt.Sprintf(`{"toast": "%v|%v"}`, class, message))
+		w.WriteHeader(statusCode)
 	} else {
 		log.Error("Trying to trigger toast in non-HTMX request")
 	}