Revoke oauth2 access tokens when a user clears sessions.

r2/r2/controllers/api.py

@@ -668,6 +668,10 @@ class ApiController(RedditController, OAuth2ResourceController):
         form.set_html('.status',
                       _('all other sessions have been logged out'))
         form.set_inputs(curpass = "")
+
+        # deauthorize all access tokens
+        OAuth2AccessToken.revoke_all_by_user(c.user)
+
         # run the change password command to get a new salt
         change_password(c.user, password)
         # the password salt has changed, so the user's cookie has been

r2/r2/models/token.py

@@ -326,6 +326,13 @@ class OAuth2AccessToken(Token):
         else:
             tba._commit()
 
+    @classmethod
+    def revoke_all_by_user(cls, account):
+        """Revokes all access tokens for a given user Account."""
+        tokens = cls._by_user(account)
+        for token in tokens:
+            token.revoke()
+
     @classmethod
     def _by_user(cls, account):
         """Returns a (possibly empty) list of valid access tokens for a given user Account."""