Merge pull request #2938 from coreos-inc/joseph.schorr/QS-85/signout-all

Invalidate all session tokens when a user signs out

data/model/user.py

@@ -104,8 +104,7 @@ def change_password(user, new_password):
   pw_hash = hash_password(new_password)
   user.invalid_login_attempts = 0
   user.password_hash = pw_hash
-  user.uuid = str(uuid4())
-  user.save()
+  invalidate_all_sessions(user)
 
   # Remove any password required notifications for the user.
   notification.delete_notifications_by_kind(user, 'password_required')
@@ -593,6 +592,13 @@ def get_user_or_org_by_customer_id(customer_id):
   except User.DoesNotExist:
     return None
 
+def invalidate_all_sessions(user):
+  """ Invalidates all existing user sessions by rotating the user's UUID. """
+  if not user:
+    return
+
+  user.uuid = str(uuid4())
+  user.save()
 
 def get_matching_user_namespaces(namespace_prefix, username, limit=10):
   namespace_search = prefix_search(Namespace.username, namespace_prefix)