Hartmut
3452464809
- setUserPassword and resetPassword now call activeSession.deleteMany after updating the passwordHash, so any pre-change sessions are immediately revoked (CWE-613 session fixation after credential change) - setUserPermissions and resetUserPermissions now use explicit Prisma select to exclude passwordHash and totpSecret from the returned user object Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>