Description
When a user is notified of a suspicious or unknown login, they should be able to change their password and immediately invalidate all other active sessions and tokens. Currently, changing a password does not guarantee that existing access or refresh tokens become unusable.
Acceptance Criteria
- User can change password after receiving an unknown login notification
- All existing access and refresh tokens are invalidated upon password change
- Only the current session remains valid (optional: force re-login)
- Token invalidation applies across all devices and browsers
- Clear user feedback confirming that other sessions were logged out
Security Considerations
- Token invalidation should be immediate
- No sensitive data (tokens, passwords) should be logged
- Password change events should be auditable
Labels
security, auth, backend, high-priority
Description
When a user is notified of a suspicious or unknown login, they should be able to change their password and immediately invalidate all other active sessions and tokens. Currently, changing a password does not guarantee that existing access or refresh tokens become unusable.
Acceptance Criteria
Security Considerations
Labels
security,auth,backend,high-priority