Sign out other sessions of user on password change

app/routes/_gcn.user.password/password.server.ts

@@ -5,7 +5,12 @@
  *
  * SPDX-License-Identifier: Apache-2.0
  */
-import { ChangePasswordCommand } from '@aws-sdk/client-cognito-identity-provider'
+import { tables } from '@architect/functions'
+import {
+  ChangePasswordCommand,
+  GlobalSignOutCommand,
+} from '@aws-sdk/client-cognito-identity-provider'
+import { type DynamoDBDocument, paginateQuery } from '@aws-sdk/lib-dynamodb'
 
 import { storage } from '../_gcn._auth/auth.server'
 import { getUser } from '../_gcn._auth/user.server'
@@ -39,5 +44,39 @@ export async function updatePassword(
       throw error
     }
   }
+
+  // Terminate all of the other sessions of this user.
+  const db = await tables()
+  const client = db._doc as unknown as DynamoDBDocument
+  const TableName = db.name('sessions')
+  const pages = await paginateQuery(
+    { client, pageSize: 25 },
+    {
+      KeyConditionExpression: '#sub = :sub',
+      FilterExpression: '#idx <> :idx',
+      ExpressionAttributeNames: { '#sub': 'sub', '#idx': '_idx' },
+      ExpressionAttributeValues: { ':sub': user.sub, ':idx': session.id },
+      IndexName: 'sessionsBySub',
+      TableName,
+      ProjectionExpression: '#idx, refreshToken',
+    }
+  )
+  for await (const { Items } of pages) {
+    if (Items?.length) {
+      await Promise.all([
+        client.batchWrite({
+          RequestItems: {
+            [TableName]: Items.map(({ _idx }) => ({
+              DeleteRequest: { Key: { _idx } },
+            })),
+          },
+        }),
+        ...Items.map(({ refreshToken }) =>
+          cognito.send(new GlobalSignOutCommand({ AccessToken: refreshToken }))
+        ),
+      ])
+    }
+  }
+
   return null
 }