Test session revocation on password change.

services/web/test/acceptance/coffee/SessionTests.coffee

@@ -113,3 +113,80 @@ describe "Sessions", ->
 					done()
 			)
 
+	describe 'three sessions, password reset', ->
+
+		before ->
+			# set up second session for this user
+			@user2 = new User()
+			@user2.email = @user1.email
+			@user2.password = @user1.password
+			@user3 = new User()
+			@user3.email = @user1.email
+			@user3.password = @user1.password
+
+		it "should erase both sessions when password is reset", (done) ->
+			async.series(
+				[
+					(next) =>
+						redis.clearUserSessions @user1, next
+
+					# login, should add session to set
+					, (next) =>
+						@user1.login (err) ->
+							next(err)
+
+					, (next) =>
+						redis.getUserSessions @user1, (err, sessions) =>
+							expect(sessions.length).to.equal 1
+							expect(sessions[0].slice(0, 5)).to.equal 'sess:'
+							next()
+
+					# login again, should add the second session to set
+					, (next) =>
+						@user2.login (err) ->
+							next(err)
+
+					, (next) =>
+						redis.getUserSessions @user1, (err, sessions) =>
+							expect(sessions.length).to.equal 2
+							expect(sessions[0].slice(0, 5)).to.equal 'sess:'
+							expect(sessions[1].slice(0, 5)).to.equal 'sess:'
+							next()
+
+					# login third session, should add the second session to set
+					, (next) =>
+						@user3.login (err) ->
+							next(err)
+
+					, (next) =>
+						redis.getUserSessions @user1, (err, sessions) =>
+							expect(sessions.length).to.equal 3
+							expect(sessions[0].slice(0, 5)).to.equal 'sess:'
+							expect(sessions[1].slice(0, 5)).to.equal 'sess:'
+							next()
+
+					# password reset from second session, should erase two of the three sessions
+					, (next) =>
+						@user2.changePassword (err) ->
+							next(err)
+
+					, (next) =>
+						redis.getUserSessions @user2, (err, sessions) =>
+							expect(sessions.length).to.equal 1
+							next()
+
+					# logout second session, should remove last session from set
+					, (next) =>
+						@user2.logout (err) ->
+							next(err)
+
+					, (next) =>
+						redis.getUserSessions @user1, (err, sessions) =>
+							expect(sessions.length).to.equal 0
+							next()
+
+				], (err, result) =>
+					if err
+						throw err
+					done()
+			)

services/web/test/acceptance/coffee/helpers/User.coffee

@@ -34,7 +34,7 @@ class User
 		@getCsrfToken (error) =>
 			return callback(error) if error?
 			@request.get {
-				url: "/logout" # Register will log in, but also ensure user exists
+				url: "/logout"
 				json:
 					email: @email
 					password: @password
@@ -91,19 +91,19 @@ class User
 			})
 			callback()
 
-	resetPassword: (newPassword, callback = (error) ->) ->
+	changePassword: (callback = (error) ->) ->
 		@getCsrfToken (error) =>
 			return callback(error) if error?
 			@request.post {
-				url: "/user/password/set" # Register will log in, but also ensure user exists
+				url: "/user/password/update"
 				json:
-					password: @password
+					currentPassword: @password
+					newPassword1: @password
+					newPassword2: @password
 			}, (error, response, body) =>
 				return callback(error) if error?
 				db.users.findOne {email: @email}, (error, user) =>
 					return callback(error) if error?
-					@id = user?._id?.toString()
-					@_id = user?._id?.toString()
 					callback()
 
 module.exports = User