From 5d7e10f776edadc727921d33d820f3d3ba09a671 Mon Sep 17 00:00:00 2001
From: Son <son@son>
Date: Mon, 11 Oct 2021 11:30:41 +0200
Subject: [PATCH] make sure when user changes password, log user out on other
 browsers

---
 app/auth/views/reset_password.py | 7 +++++++
 server.py                        | 4 ++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/app/auth/views/reset_password.py b/app/auth/views/reset_password.py
index 4709ff3c..acec963d 100644
--- a/app/auth/views/reset_password.py
+++ b/app/auth/views/reset_password.py
@@ -1,3 +1,5 @@
+import uuid
+
 from flask import request, flash, render_template, url_for, g
 from flask_wtf import FlaskForm
 from wtforms import StringField, validators
@@ -50,6 +52,7 @@ def reset_password():
             return render_template("auth/reset_password.html", form=form, error=error)
 
         user.set_password(new_password)
+
         flash("Your new password has been set", "success")
 
         # this can be served to activate user too
@@ -57,6 +60,10 @@ def reset_password():
 
         # remove the reset password code
         ResetPasswordCode.delete(reset_password_code.id)
+
+        # change the alternative_id to log user out on other browsers
+        user.alternative_id = str(uuid.uuid4())
+
         db.session.commit()
 
         # do not use login_user(user) here
diff --git a/server.py b/server.py
index 692df1e7..634498c0 100644
--- a/server.py
+++ b/server.py
@@ -438,8 +438,8 @@ def fake_data():
 
 
 @login_manager.user_loader
-def load_user(user_id):
-    user = User.get(user_id)
+def load_user(alternative_id):
+    user = User.get_by(alternative_id=alternative_id)
     if user and user.disabled:
         return None