Revoke all tokens on password change

[halilim]

How about deleting all tokens of a user after they change their password? Since they don't want their old password to be used for accessing the app, it makes sense doing the same for the tokens generated through that password.

I imagine utilizing a callback in the user model (something like this, though I guess we can use after_save rather than before_save since we're not storing all tokens in a single field of the user model).

[adamniedzielski]

Thank you for the suggestion @halilim. From the security standpoint it really makes sense to invalidate all tokens when password is changed.

However, it requires a careful implementation in the client side application using Tiddle. Immediately after requesting the password change the client side application would have to show the login screen or request a new token. I'm not sure whether everybody requires such a level of security.

What is more, I'm against the callback-based approach. The only thing you have to add is:

user.authentication_tokens.destroy_all

in the method where the password is changed.

I will accept a PR which adds a notice to the README saying that removing all tokens on password change is a good idea.

[halilim]

Devise already logs the user out immediately after password change by default. The ease of callback approach is that it covers multiple places where a user's password can be changed: front, admin and API. OK, I'm trying my chance with a security section in the README :)