delete pushers created with different access token on password change

src/api/client/account.rs

@@ -4,7 +4,8 @@ use axum::extract::State;
 use axum_client_ip::InsecureClientIp;
 use conduwuit::{
 	Err, Error, PduBuilder, Result, debug_info, err, error, info, is_equal_to, utils,
-	utils::ReadyExt, warn,
+	utils::{ReadyExt, stream::BroadbandExt},
+	warn,
 };
 use futures::{FutureExt, StreamExt};
 use register::RegistrationKind;
@@ -627,6 +628,26 @@ pub(crate) async fn change_password_route(
 			.ready_filter(|id| *id != sender_device)
 			.for_each(|id| services.users.remove_device(sender_user, id))
 			.await;
+
+		// Remove all pushers except the ones associated with this session
+		services
+			.pusher
+			.get_pushkeys(sender_user)
+			.map(ToOwned::to_owned)
+			.broad_filter_map(|pushkey| async move {
+				services
+					.pusher
+					.get_pusher_device(&pushkey)
+					.await
+					.ok()
+					.filter(|pusher_device| pusher_device != sender_device)
+					.is_some()
+					.then_some(pushkey)
+			})
+			.for_each(|pushkey| async move {
+				services.pusher.delete_pusher(sender_user, &pushkey).await;
+			})
+			.await;
 	}
 
 	info!("User {sender_user} changed their password.");

src/api/client/push.rs

@@ -503,7 +503,7 @@ pub(crate) async fn set_pushers_route(
 
 	services
 		.pusher
-		.set_pusher(sender_user, &body.action)
+		.set_pusher(sender_user, body.sender_device(), &body.action)
 		.await?;
 
 	Ok(set_pusher::v3::Response::new())