Delete old devices when deauthorizing user sessions

src/api/admin.rs

@@ -171,6 +171,7 @@ fn deauth_user(uuid: String, _token: AdminToken, conn: DbConn) -> EmptyResult {
         None => err!("User doesn't exist"),
     };
 
+    Device::delete_all_by_user(&user.uuid, &conn)?;
     user.reset_security_stamp();
 
     user.save(&conn)

src/api/core/accounts.rs

@@ -322,6 +322,7 @@ fn post_sstamp(data: JsonUpcase<PasswordData>, headers: Headers, conn: DbConn) -
         err!("Invalid password")
     }
 
+    Device::delete_all_by_user(&user.uuid, &conn)?;
     user.reset_security_stamp();
     user.save(&conn)
 }