From 17a2d269ef47a74eccc8e98c24f0d45716cb7d7e Mon Sep 17 00:00:00 2001
From: Florent Vilmart <flovilmart@users.noreply.github.com>
Date: Tue, 16 May 2017 14:13:09 -0400
Subject: [PATCH] Always clear sessions when user password is updated (#3821)

* Adds repro to  issue #3289

* Always clear sessions when password is updated
---
 spec/ParseServerRESTController.spec.js |  5 +----
 spec/ParseUser.spec.js                 | 17 +++++++++++++++++
 src/RestWrite.js                       |  7 +++++--
 3 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/spec/ParseServerRESTController.spec.js b/spec/ParseServerRESTController.spec.js
index 06d5999a..a33244c0 100644
--- a/spec/ParseServerRESTController.spec.js
+++ b/spec/ParseServerRESTController.spec.js
@@ -135,10 +135,7 @@ describe('ParseServerRESTController', () => {
     }).then(sessions => {
       expect(sessions.length).toBe(0);
       done();
-    }, (err) => {
-      jfail(err);
-      done();
-    });
+    }, done.fail);
   });
 
   it('ensures a session token is created when passing installationId != cloud', (done) => {
diff --git a/spec/ParseUser.spec.js b/spec/ParseUser.spec.js
index d6762161..7e144bc5 100644
--- a/spec/ParseUser.spec.js
+++ b/spec/ParseUser.spec.js
@@ -2935,4 +2935,21 @@ describe('Parse.User testing', () => {
       done();
     });
   });
+
+  it('should revoke sessions when setting paswword with masterKey (#3289)', (done) => {
+    let user;
+    Parse.User.signUp('username', 'password')
+      .then((newUser) => {
+        user = newUser;
+        user.set('password', 'newPassword');
+        return user.save(null, {useMasterKey: true});
+      }).then(() => {
+        const query = new Parse.Query('_Session');
+        query.equalTo('user', user);
+        return query.find({useMasterKey: true});
+      }).then((results) => {
+        expect(results.length).toBe(0);
+        done();
+      }, done.fail);
+  });
 });
diff --git a/src/RestWrite.js b/src/RestWrite.js
index 0d2ee2fe..6e045b98 100644
--- a/src/RestWrite.js
+++ b/src/RestWrite.js
@@ -375,9 +375,12 @@ RestWrite.prototype.transformUser = function() {
       return Promise.resolve();
     }
 
-    if (this.query && !this.auth.isMaster) {
+    if (this.query) {
       this.storage['clearSessions'] = true;
-      this.storage['generateNewSession'] = true;
+      // Generate a new session only if the user requested
+      if (!this.auth.isMaster) {
+        this.storage['generateNewSession'] = true;
+      }
     }
 
     return this._validatePasswordPolicy().then(() => {