Add revokeSessionOnPasswordReset option. Closes #1584

[drew-gross]

No description provided.

[flovilmart]

maybe move to the config validate ?

[drew-gross]

Will do

[codecov-io]

Current coverage is 92.77%

Merging #1597 into master will decrease coverage by -0.02% as of 79423c9

@@            master   #1597   diff @@
======================================
  Files           87      87       
  Stmts         5521    5525     +4
  Branches      1052    1054     +2
  Methods          0       0       
======================================
+ Hit           5123    5126     +3
  Partial         14      14       
- Missed         384     385     +1

Review entire Coverage Diff as of 79423c9

Powered by Codecov. Updated on successful CI builds.

[facebook-github-bot]

@drew-gross updated the pull request.

[flovilmart]

So after this PR' sessions won't be revoked on password reset? That seems like a security flow as an impersonator would be able to use and old session.

[drew-gross]

Thats true, it's a marginal security risk. But, it's available in Parse.com, and there could be apps depending on this behaviour, so I don't think it's too bad, especially if your app has a session management page. Also sessions are revoked by default, you need to opt in to the less secure behaviour.

[flovilmart]

Looks like it's The opposite as the default value is false. Is that intended? I'm fine with either, but that changes the default behavior and may impact existing deployments replacing the behavior by a slightly less secure onez

[drew-gross]

Default looks like true from where I'm sitting: https://github.com/ParsePlatform/parse-server/pull/1597/files#diff-fd794f727e5f1cd4aa9c54051208b6c9R118

[flovilmart]

Was reading the wrong line. Sorry about that