Invalidate all session tokens when a user signs out

Fixes https://jira.coreos.com/browse/QS-85

endpoints/api/user.py

@@ -725,6 +725,7 @@ class Signout(ApiResource):
   @nickname('logout')
   def post(self):
     """ Request that the current user be signed out. """
+    model.user.invalidate_all_sessions(get_authenticated_user())
     logout_user()
     identity_changed.send(app, identity=AnonymousIdentity())
     return {'success': True}