Invalidate tokens on password change

src/api/routes/users/@me/index.ts

@@ -9,10 +9,10 @@ import {
 	adjustEmail,
 	Config,
 	UserModifySchema,
+	generateToken,
 } from "@fosscord/util";
 import { route } from "@fosscord/api";
 import bcrypt from "bcrypt";
-import { HTTPError } from "lambert-server";
 
 const router: Router = Router();
 
@@ -36,6 +36,9 @@ router.patch(
 			select: [...PrivateUserProjection, "data"],
 		});
 
+		// Populated on password change
+		var newToken: string | undefined;
+
 		if (body.avatar)
 			body.avatar = await handleFile(
 				`/avatars/${req.user_id}`,
@@ -94,6 +97,8 @@ router.patch(
 				});
 			}
 			user.data.hash = await bcrypt.hash(body.new_password, 12);
+			user.data.valid_tokens_since = new Date();
+			newToken = await generateToken(user.id) as string;
 		}
 
 		if (body.username) {
@@ -140,7 +145,10 @@ router.patch(
 			data: user,
 		} as UserUpdateEvent);
 
-		res.json(user);
+		res.json({
+			...user,
+			newToken,
+		});
 	},
 );