feat(api): invalidate sessions on user deactivation (MS21-AUTH-004) (#582)

Co-authored-by: Jason Woltje <jason@diversecanvas.com>
Co-committed-by: Jason Woltje <jason@diversecanvas.com>

apps/api/src/admin/admin.service.ts

@@ -192,19 +192,22 @@ export class AdminService {
       throw new BadRequestException(`User ${id} is already deactivated`);
     }
 
-    const user = await this.prisma.user.update({
-      where: { id },
-      data: { deactivatedAt: new Date() },
-      include: {
-        workspaceMemberships: {
-          include: {
-            workspace: { select: { id: true, name: true } },
+    const [user] = await this.prisma.$transaction([
+      this.prisma.user.update({
+        where: { id },
+        data: { deactivatedAt: new Date() },
+        include: {
+          workspaceMemberships: {
+            include: {
+              workspace: { select: { id: true, name: true } },
+            },
           },
         },
-      },
-    });
+      }),
+      this.prisma.session.deleteMany({ where: { userId: id } }),
+    ]);
 
-    this.logger.log(`User deactivated: ${id}`);
+    this.logger.log(`User deactivated and sessions invalidated: ${id}`);
 
     return {
       id: user.id,