fix: deletes sessions for user when user is removed (#810)

src/lib/db/user-store.ts

@@ -194,6 +194,10 @@ class UserStore {
             seen_at: new Date(),
         });
     }
+
+    async deleteAll(): Promise<void> {
+        await this.db(TABLE).del();
+    }
 }
 
 module.exports = UserStore;

src/lib/services/user-service.ts

@@ -302,6 +302,7 @@ class UserService {
                 this.accessService.removeUserFromRole(userId, role.id),
             ),
         );
+        await this.sessionService.deleteSessionsForUser(userId);
 
         await this.store.delete(userId);
 

src/test/e2e/api/admin/user-admin.e2e.test.ts

@@ -38,9 +38,7 @@ test.after.always(async () => {
 });
 
 test.afterEach.always(async () => {
-    const users = await userStore.getAll();
-    const deleteAll = users.map((u: User) => userStore.delete(u.id));
-    await Promise.all(deleteAll);
+    await userStore.deleteAll();
 });
 
 test.serial('returns empty list of users', async t => {

src/test/e2e/services/user-service.e2e.test.ts

@@ -10,12 +10,14 @@ import ResetTokenService from '../../../lib/services/reset-token-service';
 import { EmailService } from '../../../lib/services/email-service';
 import { createTestConfig } from '../../config/test-config';
 import SessionService from '../../../lib/services/session-service';
+import NotFoundError from '../../../lib/error/notfound-error';
 
 let db;
 let stores;
 let userService: UserService;
 let userStore: UserStore;
 let adminRole: IRole;
+let sessionService: SessionService;
 
 test.before(async () => {
     db = await dbInit('user_service_serial', getLogger);
@@ -24,7 +26,7 @@ test.before(async () => {
     const accessService = new AccessService(stores, config);
     const resetTokenService = new ResetTokenService(stores, config);
     const emailService = new EmailService(undefined, config.getLogger);
-    const sessionService = new SessionService(stores, config);
+    sessionService = new SessionService(stores, config);
 
     userService = new UserService(stores, config, {
         accessService,
@@ -42,9 +44,7 @@ test.after(async () => {
 });
 
 test.afterEach(async () => {
-    const users = await userStore.getAll();
-    const deleteAll = users.map((u: User) => userStore.delete(u.id));
-    await Promise.all(deleteAll);
+    await userStore.deleteAll();
 });
 
 test.serial('should create initial admin user', async t => {
@@ -96,3 +96,35 @@ test.serial('should get user with root role', async t => {
     t.is(user.id, u.id);
     t.is(user.rootRole, adminRole.id);
 });
+
+test.serial(`deleting a user should delete the user's sessions`, async t => {
+    const email = 'some@test.com';
+    const user = await userService.createUser({
+        email,
+        password: 'A very strange P4ssw0rd_',
+        rootRole: adminRole.id,
+    });
+    const testComSession = {
+        sid: 'xyz321',
+        sess: {
+            cookie: {
+                originalMaxAge: 2880000,
+                expires: new Date(Date.now() + 86400000).toDateString(),
+                secure: false,
+                httpOnly: true,
+                path: '/',
+            },
+            user,
+        },
+    };
+    await sessionService.insertSession(testComSession);
+    const userSessions = await sessionService.getSessionsForUser(user.id);
+    t.is(userSessions.length, 1);
+    await userService.deleteUser(user.id);
+    await t.throwsAsync(
+        async () => sessionService.getSessionsForUser(user.id),
+        {
+            instanceOf: NotFoundError,
+        },
+    );
+});