From 8cc6508b225eb571951f82f094938b12623c818f Mon Sep 17 00:00:00 2001
From: Andy Butland <abutland73@gmail.com>
Date: Tue, 22 Jul 2025 09:50:05 +0200
Subject: [PATCH] Retrieve only user external logins when invalidate following
 removal of backoffice external user login (#19766)

* Retrieve only user external logins when invalidate following removal of backoffice external user login.

* Improved variable name.
---
 .../Repositories/Implement/UserRepository.cs          | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/Umbraco.Infrastructure/Persistence/Repositories/Implement/UserRepository.cs b/src/Umbraco.Infrastructure/Persistence/Repositories/Implement/UserRepository.cs
index c56c40e02e..88f9540a4f 100644
--- a/src/Umbraco.Infrastructure/Persistence/Repositories/Implement/UserRepository.cs
+++ b/src/Umbraco.Infrastructure/Persistence/Repositories/Implement/UserRepository.cs
@@ -1264,13 +1264,14 @@ SELECT 4 AS [Key], COUNT(id) AS [Value] FROM umbracoUser WHERE userDisabled = 0
     /// <inheritdoc />
     public void InvalidateSessionsForRemovedProviders(IEnumerable<string> currentLoginProviders)
     {
-        // Get all the user or member keys associated with the removed providers.
+        // Get all the user keys associated with the removed providers.
         Sql<ISqlContext> idsQuery = SqlContext.Sql()
             .Select<ExternalLoginDto>(x => x.UserOrMemberKey)
             .From<ExternalLoginDto>()
+            .Where<ExternalLoginDto>(x => !x.LoginProvider.StartsWith(Constants.Security.MemberExternalAuthenticationTypePrefix)) // Only invalidate sessions relating to backoffice users, not members.
             .WhereNotIn<ExternalLoginDto>(x => x.LoginProvider, currentLoginProviders);
-        List<Guid> userAndMemberKeysAssociatedWithRemovedProviders = Database.Fetch<Guid>(idsQuery);
-        if (userAndMemberKeysAssociatedWithRemovedProviders.Count == 0)
+        List<Guid> userKeysAssociatedWithRemovedProviders = Database.Fetch<Guid>(idsQuery);
+        if (userKeysAssociatedWithRemovedProviders.Count == 0)
         {
             return;
         }
@@ -1278,12 +1279,12 @@ SELECT 4 AS [Key], COUNT(id) AS [Value] FROM umbracoUser WHERE userDisabled = 0
         // Invalidate the security stamps on the users associated with the removed providers.
         Sql<ISqlContext> updateSecurityStampsQuery = Sql()
             .Update<UserDto>(u => u.Set(x => x.SecurityStampToken, "0".PadLeft(32, '0')))
-            .WhereIn<UserDto>(x => x.Key, userAndMemberKeysAssociatedWithRemovedProviders);
+            .WhereIn<UserDto>(x => x.Key, userKeysAssociatedWithRemovedProviders);
         Database.Execute(updateSecurityStampsQuery);
 
         // Delete the OpenIddict tokens for the users associated with the removed providers.
         // The following is safe from SQL injection as we are dealing with GUIDs, not strings.
-        var userKeysForInClause = string.Join("','", userAndMemberKeysAssociatedWithRemovedProviders.Select(x => x.ToString()));
+        var userKeysForInClause = string.Join("','", userKeysAssociatedWithRemovedProviders.Select(x => x.ToString()));
         Database.Execute("DELETE FROM umbracoOpenIddictTokens WHERE Subject IN ('" + userKeysForInClause + "')");
     }