Hive Hive
Sign in
Projects
Domains
Forage
Specs
Drops

fix(server): disconnect active sessions after password reset

GitHub issue · Closed

Metadata
Source
tuist/tuist #10896
Updated
Jun 24, 2026
Details

Summary

  • fix the password reset flow so active browser sessions are disconnected immediately after a successful reset
  • keep the existing token revocation behavior, and extend it with explicit LiveView socket disconnects for already-open sessions
  • add regression coverage for both the revoked session topic calculation and the end-to-end disconnect behavior
  • document in AGENTS.md that agent-authored PR descriptions should preserve problem context, reasoning, impact, and validation instead of only restating the diff

Problem

A password reset already deleted the user’s persisted session tokens, so any new HTTP request should fail authentication.

The gap was that existing LiveView sessions were not explicitly disconnected after those tokens were deleted. In practice, that meant another browser session could stay alive until it refreshed, navigated, or otherwise re-authenticated. That is the behavior the external report was pointing at.

Separately, the review feedback on this PR highlighted that our agent-authored PR descriptions tend to be too terse and lose important implementation context. I added explicit repository guidance for that in AGENTS.md as part of this branch.

Solution

The fix keeps the current revocation model and makes it immediate for connected sessions:

  • query the user’s active session tokens before deleting them during reset_user_password/2
  • derive the corresponding live_socket_id topics from those session tokens
  • after the password reset succeeds, broadcast disconnect to each topic so open LiveView sessions are forced off immediately

This approach was chosen because it is small, targeted, and consistent with the existing logout behavior. It avoids changing broader authentication flows while closing the gap between token revocation and what a user sees in already-open tabs.

The AGENTS.md addition is intentionally narrow: it tells agents that PR descriptions should include what changed, why it changed, the root cause for fixes, why a solution was chosen, the impact, and the validation that was run.

Testing

  • MIX_ENV=test mix ecto.reset
  • mix test test/tuist/accounts_test.exs:2078 test/tuist_web/live/user_reset_password_live_test.exs
Comments

No GitHub comments yet.