From c3ff1bc2b56814207e95cdea80cf049ad81da986 Mon Sep 17 00:00:00 2001
From: boyska <boyska@riseup.net>
Date: Fri, 20 May 2022 19:17:35 +0200
Subject: [PATCH] delete session after password change

---
 tresetter.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tresetter.py b/tresetter.py
index a728132..a8951e8 100644
--- a/tresetter.py
+++ b/tresetter.py
@@ -245,6 +245,7 @@ async def change(req: ChangeData, session_id: str = Cookie(None)) -> SuccessData
     hashed = session["proposed_password_hash"]
     if not kdf_verify(hashed, req.password):
         raise HTTPException(status_code=409)
+    delete_session(session_id)
 
     success = change_password(session["username"], req.password)
     return SuccessData(success=success)