fix: update /v1/users.logout to properly log out all user sessions (#37846)

2025-12-28 06:47:25 +00:00 · 2025-12-19 17:11:38 -03:00 · 2025-12-19 17:11:38 -03:00 · be80b724a6
commit be80b724a6
parent cc3a99fa34
4 changed files with 24 additions and 1 deletions
--- a/.changeset/slimy-ads-sing.md
+++ b/.changeset/slimy-ads-sing.md
@ -0,0 +1,7 @@
+---
+'@rocket.chat/model-typings': patch
+'@rocket.chat/models': patch
+'@rocket.chat/meteor': patch
+---
+
+Fixes /v1/users.logout not marking user sessions as logged out, leaving stale sessions active.
--- a/apps/meteor/app/api/server/v1/users.ts
+++ b/apps/meteor/app/api/server/v1/users.ts
@ -1,6 +1,6 @@
 import { MeteorError, Team, api, Calendar } from '@rocket.chat/core-services';
 import { type IExportOperation, type ILoginToken, type IPersonalAccessToken, type IUser, type UserStatus } from '@rocket.chat/core-typings';
-import { Users, Subscriptions } from '@rocket.chat/models';
+import { Users, Subscriptions, Sessions } from '@rocket.chat/models';
 import {
 	isUserCreateParamsPOST,
 	isUserSetActiveStatusParamsPOST,
@ -1283,6 +1283,8 @@ API.v1.addRoute(
 				throw new Meteor.Error('error-invalid-user-id', 'Invalid user id');
 			}

+			await Sessions.logoutAllByUserId(userId, this.userId);
+
 			void notifyOnUserChange({ clientAction: 'updated', id: userId, diff: { 'services.resume.loginTokens': [] } });

 			return API.v1.success({
--- a/packages/model-typings/src/models/ISessionsModel.ts
+++ b/packages/model-typings/src/models/ISessionsModel.ts
@ -144,6 +144,8 @@ export interface ISessionsModel extends IBaseModel<ISession> {
 		logoutBy?: IUser['_id'];
 	}): Promise<UpdateResult | Document>;

+	logoutAllByUserId(userId: IUser['_id'], logoutBy: IUser['_id']): Promise<UpdateResult | Document>;
+
 	createBatch(sessions: OptionalId<ISession>[]): Promise<BulkWriteResult | undefined>;

 	updateDailySessionById(_id: ISession['_id'], record: Partial<ISession>): Promise<UpdateResult>;
--- a/packages/models/src/models/Sessions.ts
+++ b/packages/models/src/models/Sessions.ts
@ -1575,6 +1575,18 @@ export class SessionsRaw extends BaseRaw<ISession> implements ISessionsModel {
 		return this.updateMany({ userId, loginToken }, updateObj);
 	}

+	async logoutAllByUserId(userId: IUser['_id'], logoutBy: IUser['_id']): Promise<UpdateResult | Document> {
+		const logoutAt = new Date();
+		const updateObj = {
+			$set: {
+				logoutAt,
+				logoutBy,
+			},
+		};
+
+		return this.updateMany({ userId, logoutAt: { $exists: false } }, updateObj);
+	}
+
 	async createBatch(sessions: OptionalId<ISession>[]): Promise<BulkWriteResult | undefined> {
 		if (!sessions || sessions.length === 0) {
 			return;