fix: on password reset, delete all refresh tokens

src/services/users/reset-password/__test__/put.test.ts

@@ -25,6 +25,11 @@ await tap.test('PUT /users/reset-password', async (t) => {
         return userExample
       }
     })
+    sinon.stub(prisma, 'refreshToken').value({
+      deleteMany: async () => {
+        return { count: 1 }
+      }
+    })
     const response = await application.inject({
       method: 'PUT',
       url: '/users/reset-password',

src/services/users/reset-password/put.ts

@@ -39,7 +39,7 @@ export const putResetPasswordUser: FastifyPluginAsync = async (fastify) => {
         user?.temporaryExpirationToken != null &&
         user.temporaryExpirationToken.getTime() > Date.now()
       if (user == null || !isValidTemporaryToken) {
-        throw fastify.httpErrors.badRequest('"tempToken" is invalid')
+        throw fastify.httpErrors.badRequest('`temporaryToken` is invalid.')
       }
       const hashedPassword = await bcrypt.hash(password, 12)
       await prisma.user.update({
@@ -52,6 +52,11 @@ export const putResetPasswordUser: FastifyPluginAsync = async (fastify) => {
           temporaryExpirationToken: null
         }
       })
+      await prisma.refreshToken.deleteMany({
+        where: {
+          userId: user.id
+        }
+      })
       reply.statusCode = 200
       return 'The new password has been saved!'
     }