From 10108bb54cc5cdc337c46fd56edd6448f82f8766 Mon Sep 17 00:00:00 2001
From: JoramWilander <jwawilander@gmail.com>
Date: Thu, 24 Sep 2015 08:02:01 -0400
Subject: Properly revoke OAuth sessions when revoking all user sessions.

---
 api/user.go | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

(limited to 'api/user.go')

diff --git a/api/user.go b/api/user.go
index 695ab2208..9718d534e 100644
--- a/api/user.go
+++ b/api/user.go
@@ -466,10 +466,14 @@ func RevokeAllSession(c *Context, userId string) {
 
 		for _, session := range sessions {
 			c.LogAuditWithUserId(userId, "session_id="+session.Id)
-			sessionCache.Remove(session.Token)
-			if result := <-Srv.Store.Session().Remove(session.Id); result.Err != nil {
-				c.Err = result.Err
-				return
+			if session.IsOAuth {
+				RevokeAccessToken(session.Token)
+			} else {
+				sessionCache.Remove(session.Token)
+				if result := <-Srv.Store.Session().Remove(session.Id); result.Err != nil {
+					c.Err = result.Err
+					return
+				}
 			}
 		}
 	}
-- 
cgit v1.2.3-1-g7c22