fix: logout all sessions when mfa is enabled (#644)

DefGuard · Jun 18, 2024 · 99b76f7 · 99b76f7
1 parent 4dc9ff8
commit 99b76f7
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/src/handlers/auth.rs b/src/handlers/auth.rs
@@ -210,7 +210,7 @@ pub async fn logout(
 /// Enable MFA
 pub async fn mfa_enable(
     cookies: CookieJar,
-    session: Session,
+    _session: Session,
     session_info: SessionInfo,
     State(appstate): State<AppState>,
 ) -> Result<(CookieJar, ApiResponse), WebError> {
@@ -220,9 +220,9 @@ pub async fn mfa_enable(
     if user.mfa_enabled {
         info!("Enabled MFA for user {}", user.username);
         let cookies = cookies.remove(Cookie::from("defguard_sesssion"));
-        session.delete(&appstate.pool).await?;
+        user.logout_all_sessions(&appstate.pool).await?;
         debug!(
-            "Removed auth session for user {} after enabling MFA",
+            "Removed auth sessions for user {} after enabling MFA",
             user.username
         );
         Ok((cookies, ApiResponse::default()))