From 4b7a9078fee8c55176a53adef37554b50703cf88 Mon Sep 17 00:00:00 2001
From: MontejoJorge <jorgemon.lopez@gmail.com>
Date: Thu, 23 Oct 2025 18:21:27 +0200
Subject: [PATCH 01/14] log out ohter sessions on password change

---
 .../lib/model/change_password_dto.dart        | 19 ++++++++++++++++++-
 open-api/immich-openapi-specs.json            |  4 ++++
 open-api/typescript-sdk/src/fetch-client.ts   |  1 +
 server/src/dtos/auth.dto.ts                   |  7 ++++++-
 server/src/repositories/event.repository.ts   |  1 +
 server/src/services/auth.service.ts           |  7 +++++++
 server/src/services/session.service.ts        | 16 +++++++++++++---
 .../change-password-settings.svelte           | 10 +++++++++-
 8 files changed, 59 insertions(+), 6 deletions(-)

diff --git a/mobile/openapi/lib/model/change_password_dto.dart b/mobile/openapi/lib/model/change_password_dto.dart
index 33b7f4a607390..043fc63ed451e 100644
--- a/mobile/openapi/lib/model/change_password_dto.dart
+++ b/mobile/openapi/lib/model/change_password_dto.dart
@@ -13,30 +13,46 @@ part of openapi.api;
 class ChangePasswordDto {
   /// Returns a new [ChangePasswordDto] instance.
   ChangePasswordDto({
+    this.logOutOhterSessions,
     required this.newPassword,
     required this.password,
   });
 
+  ///
+  /// Please note: This property should have been non-nullable! Since the specification file
+  /// does not include a default value (using the "default:" property), however, the generated
+  /// source code must fall back to having a nullable type.
+  /// Consider adding a "default:" property in the specification file to hide this note.
+  ///
+  bool? logOutOhterSessions;
+
   String newPassword;
 
   String password;
 
   @override
   bool operator ==(Object other) => identical(this, other) || other is ChangePasswordDto &&
+    other.logOutOhterSessions == logOutOhterSessions &&
     other.newPassword == newPassword &&
     other.password == password;
 
   @override
   int get hashCode =>
     // ignore: unnecessary_parenthesis
+    (logOutOhterSessions == null ? 0 : logOutOhterSessions!.hashCode) +
     (newPassword.hashCode) +
     (password.hashCode);
 
   @override
-  String toString() => 'ChangePasswordDto[newPassword=$newPassword, password=$password]';
+  String toString() => 'ChangePasswordDto[logOutOhterSessions=$logOutOhterSessions, newPassword=$newPassword, password=$password]';
 
   Map<String, dynamic> toJson() {
     final json = <String, dynamic>{};
+    if (this.logOutOhterSessions != null) {
+      json[r'logOutOhterSessions'] = this.logOutOhterSessions;
+    } else {
+    //  json[r'logOutOhterSessions'] = null;
+    }
       json[r'newPassword'] = this.newPassword;
       json[r'password'] = this.password;
     return json;
@@ -51,6 +67,7 @@ class ChangePasswordDto {
       final json = value.cast<String, dynamic>();
 
       return ChangePasswordDto(
+        logOutOhterSessions: mapValueOfType<bool>(json, r'logOutOhterSessions'),
         newPassword: mapValueOfType<String>(json, r'newPassword')!,
         password: mapValueOfType<String>(json, r'password')!,
       );
diff --git a/open-api/immich-openapi-specs.json b/open-api/immich-openapi-specs.json
index 3b258d505fb4d..9a6cc346c7764 100644
--- a/open-api/immich-openapi-specs.json
+++ b/open-api/immich-openapi-specs.json
@@ -11469,6 +11469,10 @@
       },
       "ChangePasswordDto": {
         "properties": {
+          "logOutOhterSessions": {
+            "example": true,
+            "type": "boolean"
+          },
           "newPassword": {
             "example": "password",
             "minLength": 8,
diff --git a/open-api/typescript-sdk/src/fetch-client.ts b/open-api/typescript-sdk/src/fetch-client.ts
index cdd004770144a..22b07fc3b132f 100644
--- a/open-api/typescript-sdk/src/fetch-client.ts
+++ b/open-api/typescript-sdk/src/fetch-client.ts
@@ -561,6 +561,7 @@ export type SignUpDto = {
     password: string;
 };
 export type ChangePasswordDto = {
+    logOutOhterSessions?: boolean;
     newPassword: string;
     password: string;
 };
diff --git a/server/src/dtos/auth.dto.ts b/server/src/dtos/auth.dto.ts
index 2bb98b34a5076..3a8c31a9d9da8 100644
--- a/server/src/dtos/auth.dto.ts
+++ b/server/src/dtos/auth.dto.ts
@@ -1,6 +1,6 @@
 import { ApiProperty } from '@nestjs/swagger';
 import { Transform } from 'class-transformer';
-import { IsEmail, IsNotEmpty, IsString, MinLength } from 'class-validator';
+import { IsBoolean, IsEmail, IsNotEmpty, IsString, MinLength } from 'class-validator';
 import { AuthApiKey, AuthSession, AuthSharedLink, AuthUser, UserAdmin } from 'src/database';
 import { ImmichCookie, UserMetadataKey } from 'src/enum';
 import { UserMetadataItem } from 'src/types';
@@ -83,6 +83,11 @@ export class ChangePasswordDto {
   @MinLength(8)
   @ApiProperty({ example: 'password' })
   newPassword!: string;
+
+  @IsBoolean()
+  @Optional()
+  @ApiProperty({ example: true })
+  logOutOhterSessions?: boolean;
 }
 
 export class PinCodeSetupDto {
diff --git a/server/src/repositories/event.repository.ts b/server/src/repositories/event.repository.ts
index 420be0e1b4585..717952db067cd 100644
--- a/server/src/repositories/event.repository.ts
+++ b/server/src/repositories/event.repository.ts
@@ -99,6 +99,7 @@ type EventMap = {
   /** user is permanently deleted */
   UserDelete: [UserEvent];
   UserRestore: [UserEvent];
+  UserChangePassword: [{ userId: string; currentSessionId?: string }];
 
   // websocket events
   WebsocketConnect: [{ userId: string }];
diff --git a/server/src/services/auth.service.ts b/server/src/services/auth.service.ts
index d118f1809a9c0..397759186254a 100644
--- a/server/src/services/auth.service.ts
+++ b/server/src/services/auth.service.ts
@@ -104,6 +104,13 @@ export class AuthService extends BaseService {
 
     const updatedUser = await this.userRepository.update(user.id, { password: hashedPassword });
 
+    if (dto.logOutOhterSessions) {
+      await this.eventRepository.emit('UserChangePassword', {
+        userId: auth.user.id,
+        currentSessionId: auth.session?.id,
+      });
+    }
+
     return mapUserAdmin(updatedUser);
   }
 
diff --git a/server/src/services/session.service.ts b/server/src/services/session.service.ts
index a9c7e92fcbbaf..bed3a75477249 100644
--- a/server/src/services/session.service.ts
+++ b/server/src/services/session.service.ts
@@ -1,6 +1,6 @@
 import { BadRequestException, Injectable } from '@nestjs/common';
 import { DateTime } from 'luxon';
-import { OnJob } from 'src/decorators';
+import { OnEvent, OnJob } from 'src/decorators';
 import { AuthDto } from 'src/dtos/auth.dto';
 import {
   SessionCreateDto,
@@ -10,6 +10,7 @@ import {
   mapSession,
 } from 'src/dtos/session.dto';
 import { JobName, JobStatus, Permission, QueueName } from 'src/enum';
+import { ArgOf } from 'src/repositories/event.repository';
 import { BaseService } from 'src/services/base.service';
 
 @Injectable()
@@ -74,10 +75,19 @@ export class SessionService extends BaseService {
     await this.sessionRepository.update(id, { pinExpiresAt: null });
   }
 
+  @OnEvent({ name: 'UserChangePassword' })
+  async handleUserChangePassword({ userId, currentSessionId }: ArgOf<'UserChangePassword'>): Promise<void> {
+    await this.deleteAllSessionsForUser(userId, currentSessionId);
+  }
+
   async deleteAll(auth: AuthDto): Promise<void> {
-    const sessions = await this.sessionRepository.getByUserId(auth.user.id);
+    await this.deleteAllSessionsForUser(auth.user.id, auth.session?.id);
+  }
+
+  private async deleteAllSessionsForUser(userId: string, excludeSessionId?: string): Promise<void> {
+    const sessions = await this.sessionRepository.getByUserId(userId);
     for (const session of sessions) {
-      if (session.id === auth.session?.id) {
+      if (session.id === excludeSessionId) {
         continue;
       }
       await this.sessionRepository.delete(session.id);
diff --git a/web/src/lib/components/user-settings-page/change-password-settings.svelte b/web/src/lib/components/user-settings-page/change-password-settings.svelte
index 2735c4f13e0a7..a42fa6088e8f0 100644
--- a/web/src/lib/components/user-settings-page/change-password-settings.svelte
+++ b/web/src/lib/components/user-settings-page/change-password-settings.svelte
@@ -4,6 +4,7 @@
     NotificationType,
   } from '$lib/components/shared-components/notification/notification';
   import SettingInputField from '$lib/components/shared-components/settings/setting-input-field.svelte';
+  import SettingSwitch from '$lib/components/shared-components/settings/setting-switch.svelte';
   import { SettingInputFieldType } from '$lib/constants';
   import { changePassword } from '@immich/sdk';
   import { Button } from '@immich/ui';
@@ -14,10 +15,11 @@
   let password = $state('');
   let newPassword = $state('');
   let confirmPassword = $state('');
+  let logOutOhterSessions = $state(false);
 
   const handleChangePassword = async () => {
     try {
-      await changePassword({ changePasswordDto: { password, newPassword } });
+      await changePassword({ changePasswordDto: { password, newPassword, logOutOhterSessions } });
 
       notificationController.show({
         message: $t('updated_password'),
@@ -69,6 +71,12 @@
           passwordAutocomplete="new-password"
         />
 
+        <SettingSwitch
+          title="Cerrar sesion de todos los dispositivos"
+          subtitle="Se cerrara la sesion de todos los dispositivos autorizados menos el actual"
+          bind:checked={logOutOhterSessions}
+        />
+
         <div class="flex justify-end">
           <Button
             shape="round"

From 69e99cd282ed17b46f311c31b873fc16d8a7eb15 Mon Sep 17 00:00:00 2001
From: MontejoJorge <jorgemon.lopez@gmail.com>
Date: Thu, 23 Oct 2025 18:43:40 +0200
Subject: [PATCH 02/14] translations

---
 i18n/en.json                                                  | 2 ++
 .../user-settings-page/change-password-settings.svelte        | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/i18n/en.json b/i18n/en.json
index 02e573de69a13..57846828de0d0 100644
--- a/i18n/en.json
+++ b/i18n/en.json
@@ -669,6 +669,8 @@
   "change_password_description": "This is either the first time you are signing into the system or a request has been made to change your password. Please enter the new password below.",
   "change_password_form_confirm_password": "Confirm Password",
   "change_password_form_description": "Hi {name},\n\nThis is either the first time you are signing into the system or a request has been made to change your password. Please enter the new password below.",
+  "change_password_form_log_out": "Log out all other devices",
+  "change_password_form_log_out_description": "It is recommended to log out of all other devices",
   "change_password_form_new_password": "New Password",
   "change_password_form_password_mismatch": "Passwords do not match",
   "change_password_form_reenter_new_password": "Re-enter New Password",
diff --git a/web/src/lib/components/user-settings-page/change-password-settings.svelte b/web/src/lib/components/user-settings-page/change-password-settings.svelte
index a42fa6088e8f0..394f9bfeb1d89 100644
--- a/web/src/lib/components/user-settings-page/change-password-settings.svelte
+++ b/web/src/lib/components/user-settings-page/change-password-settings.svelte
@@ -72,8 +72,8 @@
         />
 
         <SettingSwitch
-          title="Cerrar sesion de todos los dispositivos"
-          subtitle="Se cerrara la sesion de todos los dispositivos autorizados menos el actual"
+          title={$t('log_out_all_devices')}
+          subtitle={$t('change_password_form_log_out_description')}
           bind:checked={logOutOhterSessions}
         />
 

From 0155e27c9c0312b4fb0ccf4d76e4fe2d66b29835 Mon Sep 17 00:00:00 2001
From: MontejoJorge <jorgemon.lopez@gmail.com>
Date: Thu, 23 Oct 2025 19:05:34 +0200
Subject: [PATCH 03/14] update and add tests

---
 server/src/controllers/auth.controller.spec.ts |  2 +-
 server/src/services/auth.service.spec.ts       | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/server/src/controllers/auth.controller.spec.ts b/server/src/controllers/auth.controller.spec.ts
index 031ef460c28cc..6b2ecd59585eb 100644
--- a/server/src/controllers/auth.controller.spec.ts
+++ b/server/src/controllers/auth.controller.spec.ts
@@ -183,7 +183,7 @@ describe(AuthController.name, () => {
     it('should be an authenticated route', async () => {
       await request(ctx.getHttpServer())
         .post('/auth/change-password')
-        .send({ password: 'password', newPassword: 'Password1234' });
+        .send({ password: 'password', newPassword: 'Password1234', logOutOhterSessions: false });
       expect(ctx.authenticate).toHaveBeenCalled();
     });
   });
diff --git a/server/src/services/auth.service.spec.ts b/server/src/services/auth.service.spec.ts
index d8d7598593f57..ee32677c29d4a 100644
--- a/server/src/services/auth.service.spec.ts
+++ b/server/src/services/auth.service.spec.ts
@@ -147,6 +147,24 @@ describe(AuthService.name, () => {
 
       await expect(sut.changePassword(auth, dto)).rejects.toBeInstanceOf(BadRequestException);
     });
+
+    it('should change the password and emmit UserChangePassword', async () => {
+      const user = factory.userAdmin();
+      const auth = factory.auth({ user });
+      const dto = { password: 'old-password', newPassword: 'new-password', logOutOhterSessions: true };
+
+      mocks.user.getForChangePassword.mockResolvedValue({ id: user.id, password: 'hash-password' });
+      mocks.user.update.mockResolvedValue(user);
+
+      await sut.changePassword(auth, dto);
+
+      expect(mocks.user.getForChangePassword).toHaveBeenCalledWith(user.id);
+      expect(mocks.crypto.compareBcrypt).toHaveBeenCalledWith('old-password', 'hash-password');
+      expect(mocks.event.emit).toHaveBeenCalledWith('UserChangePassword', {
+        userId: user.id,
+        currentSessionId: auth.session?.id,
+      });
+    });
   });
 
   describe('logout', () => {

From 457b8bbbf44a9dbdd18213fa86942d406a6bfdff Mon Sep 17 00:00:00 2001
From: MontejoJorge <jorgemon.lopez@gmail.com>
Date: Thu, 23 Oct 2025 19:06:48 +0200
Subject: [PATCH 04/14] rename event to UserLogoutOtherSessions

---
 server/src/repositories/event.repository.ts | 2 +-
 server/src/services/auth.service.spec.ts    | 4 ++--
 server/src/services/auth.service.ts         | 2 +-
 server/src/services/session.service.ts      | 4 ++--
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/server/src/repositories/event.repository.ts b/server/src/repositories/event.repository.ts
index 717952db067cd..c77ef9d771b51 100644
--- a/server/src/repositories/event.repository.ts
+++ b/server/src/repositories/event.repository.ts
@@ -99,7 +99,7 @@ type EventMap = {
   /** user is permanently deleted */
   UserDelete: [UserEvent];
   UserRestore: [UserEvent];
-  UserChangePassword: [{ userId: string; currentSessionId?: string }];
+  UserLogoutOtherSessions: [{ userId: string; currentSessionId?: string }];
 
   // websocket events
   WebsocketConnect: [{ userId: string }];
diff --git a/server/src/services/auth.service.spec.ts b/server/src/services/auth.service.spec.ts
index ee32677c29d4a..138661d27267b 100644
--- a/server/src/services/auth.service.spec.ts
+++ b/server/src/services/auth.service.spec.ts
@@ -148,7 +148,7 @@ describe(AuthService.name, () => {
       await expect(sut.changePassword(auth, dto)).rejects.toBeInstanceOf(BadRequestException);
     });
 
-    it('should change the password and emmit UserChangePassword', async () => {
+    it('should change the password and emmit UserLogoutOtherSessions', async () => {
       const user = factory.userAdmin();
       const auth = factory.auth({ user });
       const dto = { password: 'old-password', newPassword: 'new-password', logOutOhterSessions: true };
@@ -160,7 +160,7 @@ describe(AuthService.name, () => {
 
       expect(mocks.user.getForChangePassword).toHaveBeenCalledWith(user.id);
       expect(mocks.crypto.compareBcrypt).toHaveBeenCalledWith('old-password', 'hash-password');
-      expect(mocks.event.emit).toHaveBeenCalledWith('UserChangePassword', {
+      expect(mocks.event.emit).toHaveBeenCalledWith('UserLogoutOtherSessions', {
         userId: user.id,
         currentSessionId: auth.session?.id,
       });
diff --git a/server/src/services/auth.service.ts b/server/src/services/auth.service.ts
index 397759186254a..c01c7f36cbc66 100644
--- a/server/src/services/auth.service.ts
+++ b/server/src/services/auth.service.ts
@@ -105,7 +105,7 @@ export class AuthService extends BaseService {
     const updatedUser = await this.userRepository.update(user.id, { password: hashedPassword });
 
     if (dto.logOutOhterSessions) {
-      await this.eventRepository.emit('UserChangePassword', {
+      await this.eventRepository.emit('UserLogoutOtherSessions', {
         userId: auth.user.id,
         currentSessionId: auth.session?.id,
       });
diff --git a/server/src/services/session.service.ts b/server/src/services/session.service.ts
index bed3a75477249..bd6856086fa3d 100644
--- a/server/src/services/session.service.ts
+++ b/server/src/services/session.service.ts
@@ -75,8 +75,8 @@ export class SessionService extends BaseService {
     await this.sessionRepository.update(id, { pinExpiresAt: null });
   }
 
-  @OnEvent({ name: 'UserChangePassword' })
-  async handleUserChangePassword({ userId, currentSessionId }: ArgOf<'UserChangePassword'>): Promise<void> {
+  @OnEvent({ name: 'UserLogoutOtherSessions' })
+  async handleUserLogoutOtherSessions({ userId, currentSessionId }: ArgOf<'UserLogoutOtherSessions'>): Promise<void> {
     await this.deleteAllSessionsForUser(userId, currentSessionId);
   }
 

From 35e26b869509ca107ab2232ff5682b0f547fdb67 Mon Sep 17 00:00:00 2001
From: MontejoJorge <jorgemon.lopez@gmail.com>
Date: Thu, 23 Oct 2025 19:24:49 +0200
Subject: [PATCH 05/14] fix typo

---
 .../openapi/lib/model/change_password_dto.dart | 18 +++++++++---------
 open-api/immich-openapi-specs.json             |  2 +-
 open-api/typescript-sdk/src/fetch-client.ts    |  2 +-
 server/src/controllers/auth.controller.spec.ts |  2 +-
 server/src/dtos/auth.dto.ts                    |  2 +-
 server/src/services/auth.service.spec.ts       |  2 +-
 server/src/services/auth.service.ts            |  2 +-
 .../change-password-settings.svelte            |  6 +++---
 8 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/mobile/openapi/lib/model/change_password_dto.dart b/mobile/openapi/lib/model/change_password_dto.dart
index 043fc63ed451e..3c3d2d4fb0fd0 100644
--- a/mobile/openapi/lib/model/change_password_dto.dart
+++ b/mobile/openapi/lib/model/change_password_dto.dart
@@ -13,7 +13,7 @@ part of openapi.api;
 class ChangePasswordDto {
   /// Returns a new [ChangePasswordDto] instance.
   ChangePasswordDto({
-    this.logOutOhterSessions,
+    this.logOutOtherSessions,
     required this.newPassword,
     required this.password,
   });
@@ -24,7 +24,7 @@ class ChangePasswordDto {
   /// source code must fall back to having a nullable type.
   /// Consider adding a "default:" property in the specification file to hide this note.
   ///
-  bool? logOutOhterSessions;
+  bool? logOutOtherSessions;
 
   String newPassword;
 
@@ -32,26 +32,26 @@ class ChangePasswordDto {
 
   @override
   bool operator ==(Object other) => identical(this, other) || other is ChangePasswordDto &&
-    other.logOutOhterSessions == logOutOhterSessions &&
+    other.logOutOtherSessions == logOutOtherSessions &&
     other.newPassword == newPassword &&
     other.password == password;
 
   @override
   int get hashCode =>
     // ignore: unnecessary_parenthesis
-    (logOutOhterSessions == null ? 0 : logOutOhterSessions!.hashCode) +
+    (logOutOtherSessions == null ? 0 : logOutOtherSessions!.hashCode) +
     (newPassword.hashCode) +
     (password.hashCode);
 
   @override
-  String toString() => 'ChangePasswordDto[logOutOhterSessions=$logOutOhterSessions, newPassword=$newPassword, password=$password]';
+  String toString() => 'ChangePasswordDto[logOutOtherSessions=$logOutOtherSessions, newPassword=$newPassword, password=$password]';
 
   Map<String, dynamic> toJson() {
     final json = <String, dynamic>{};
-    if (this.logOutOhterSessions != null) {
-      json[r'logOutOhterSessions'] = this.logOutOhterSessions;
+    if (this.logOutOtherSessions != null) {
+      json[r'logOutOtherSessions'] = this.logOutOtherSessions;
     } else {
-    //  json[r'logOutOhterSessions'] = null;
+    //  json[r'logOutOtherSessions'] = null;
     }
       json[r'newPassword'] = this.newPassword;
       json[r'password'] = this.password;
@@ -67,7 +67,7 @@ class ChangePasswordDto {
       final json = value.cast<String, dynamic>();
 
       return ChangePasswordDto(
-        logOutOhterSessions: mapValueOfType<bool>(json, r'logOutOhterSessions'),
+        logOutOtherSessions: mapValueOfType<bool>(json, r'logOutOtherSessions'),
         newPassword: mapValueOfType<String>(json, r'newPassword')!,
         password: mapValueOfType<String>(json, r'password')!,
       );
diff --git a/open-api/immich-openapi-specs.json b/open-api/immich-openapi-specs.json
index 9a6cc346c7764..e5f2ff42a4b35 100644
--- a/open-api/immich-openapi-specs.json
+++ b/open-api/immich-openapi-specs.json
@@ -11469,7 +11469,7 @@
       },
       "ChangePasswordDto": {
         "properties": {
-          "logOutOhterSessions": {
+          "logOutOtherSessions": {
             "example": true,
             "type": "boolean"
           },
diff --git a/open-api/typescript-sdk/src/fetch-client.ts b/open-api/typescript-sdk/src/fetch-client.ts
index 22b07fc3b132f..b5c953f2336de 100644
--- a/open-api/typescript-sdk/src/fetch-client.ts
+++ b/open-api/typescript-sdk/src/fetch-client.ts
@@ -561,7 +561,7 @@ export type SignUpDto = {
     password: string;
 };
 export type ChangePasswordDto = {
-    logOutOhterSessions?: boolean;
+    logOutOtherSessions?: boolean;
     newPassword: string;
     password: string;
 };
diff --git a/server/src/controllers/auth.controller.spec.ts b/server/src/controllers/auth.controller.spec.ts
index 6b2ecd59585eb..ddc3617b8bfec 100644
--- a/server/src/controllers/auth.controller.spec.ts
+++ b/server/src/controllers/auth.controller.spec.ts
@@ -183,7 +183,7 @@ describe(AuthController.name, () => {
     it('should be an authenticated route', async () => {
       await request(ctx.getHttpServer())
         .post('/auth/change-password')
-        .send({ password: 'password', newPassword: 'Password1234', logOutOhterSessions: false });
+        .send({ password: 'password', newPassword: 'Password1234', logOutOtherSessions: false });
       expect(ctx.authenticate).toHaveBeenCalled();
     });
   });
diff --git a/server/src/dtos/auth.dto.ts b/server/src/dtos/auth.dto.ts
index 3a8c31a9d9da8..07d6a8699b137 100644
--- a/server/src/dtos/auth.dto.ts
+++ b/server/src/dtos/auth.dto.ts
@@ -87,7 +87,7 @@ export class ChangePasswordDto {
   @IsBoolean()
   @Optional()
   @ApiProperty({ example: true })
-  logOutOhterSessions?: boolean;
+  logOutOtherSessions?: boolean;
 }
 
 export class PinCodeSetupDto {
diff --git a/server/src/services/auth.service.spec.ts b/server/src/services/auth.service.spec.ts
index 138661d27267b..c3590dcbb2e65 100644
--- a/server/src/services/auth.service.spec.ts
+++ b/server/src/services/auth.service.spec.ts
@@ -151,7 +151,7 @@ describe(AuthService.name, () => {
     it('should change the password and emmit UserLogoutOtherSessions', async () => {
       const user = factory.userAdmin();
       const auth = factory.auth({ user });
-      const dto = { password: 'old-password', newPassword: 'new-password', logOutOhterSessions: true };
+      const dto = { password: 'old-password', newPassword: 'new-password', logOutOtherSessions: true };
 
       mocks.user.getForChangePassword.mockResolvedValue({ id: user.id, password: 'hash-password' });
       mocks.user.update.mockResolvedValue(user);
diff --git a/server/src/services/auth.service.ts b/server/src/services/auth.service.ts
index c01c7f36cbc66..81d27d47126d8 100644
--- a/server/src/services/auth.service.ts
+++ b/server/src/services/auth.service.ts
@@ -104,7 +104,7 @@ export class AuthService extends BaseService {
 
     const updatedUser = await this.userRepository.update(user.id, { password: hashedPassword });
 
-    if (dto.logOutOhterSessions) {
+    if (dto.logOutOtherSessions) {
       await this.eventRepository.emit('UserLogoutOtherSessions', {
         userId: auth.user.id,
         currentSessionId: auth.session?.id,
diff --git a/web/src/lib/components/user-settings-page/change-password-settings.svelte b/web/src/lib/components/user-settings-page/change-password-settings.svelte
index 394f9bfeb1d89..68555715ddb0d 100644
--- a/web/src/lib/components/user-settings-page/change-password-settings.svelte
+++ b/web/src/lib/components/user-settings-page/change-password-settings.svelte
@@ -15,11 +15,11 @@
   let password = $state('');
   let newPassword = $state('');
   let confirmPassword = $state('');
-  let logOutOhterSessions = $state(false);
+  let logOutOtherSessions = $state(false);
 
   const handleChangePassword = async () => {
     try {
-      await changePassword({ changePasswordDto: { password, newPassword, logOutOhterSessions } });
+      await changePassword({ changePasswordDto: { password, newPassword, logOutOtherSessions } });
 
       notificationController.show({
         message: $t('updated_password'),
@@ -74,7 +74,7 @@
         <SettingSwitch
           title={$t('log_out_all_devices')}
           subtitle={$t('change_password_form_log_out_description')}
-          bind:checked={logOutOhterSessions}
+          bind:checked={logOutOtherSessions}
         />
 
         <div class="flex justify-end">

From 2a2f4a10e0b02332db0c72948d50136a60acd8ad Mon Sep 17 00:00:00 2001
From: MontejoJorge <jorgemon.lopez@gmail.com>
Date: Thu, 23 Oct 2025 19:34:38 +0200
Subject: [PATCH 06/14] requested changes

---
 server/src/controllers/session.controller.ts |  2 +-
 server/src/repositories/event.repository.ts  |  2 +-
 server/src/services/auth.service.spec.ts     | 10 ++++++++--
 server/src/services/auth.service.ts          | 11 +++++------
 server/src/services/session.service.ts       | 12 ++++--------
 5 files changed, 19 insertions(+), 18 deletions(-)

diff --git a/server/src/controllers/session.controller.ts b/server/src/controllers/session.controller.ts
index cbe8158fee598..055cf1aae568a 100644
--- a/server/src/controllers/session.controller.ts
+++ b/server/src/controllers/session.controller.ts
@@ -28,7 +28,7 @@ export class SessionController {
   @Authenticated({ permission: Permission.SessionDelete })
   @HttpCode(HttpStatus.NO_CONTENT)
   deleteAllSessions(@Auth() auth: AuthDto): Promise<void> {
-    return this.service.deleteAll(auth);
+    return this.service.deleteAll(auth.user.id);
   }
 
   @Put(':id')
diff --git a/server/src/repositories/event.repository.ts b/server/src/repositories/event.repository.ts
index c77ef9d771b51..c54410b1426da 100644
--- a/server/src/repositories/event.repository.ts
+++ b/server/src/repositories/event.repository.ts
@@ -99,7 +99,7 @@ type EventMap = {
   /** user is permanently deleted */
   UserDelete: [UserEvent];
   UserRestore: [UserEvent];
-  UserLogoutOtherSessions: [{ userId: string; currentSessionId?: string }];
+  UserPasswordChange: [{ userId: string; currentSessionId?: string; shouldLogoutSessions?: boolean }];
 
   // websocket events
   WebsocketConnect: [{ userId: string }];
diff --git a/server/src/services/auth.service.spec.ts b/server/src/services/auth.service.spec.ts
index c3590dcbb2e65..9880a5ccd53ca 100644
--- a/server/src/services/auth.service.spec.ts
+++ b/server/src/services/auth.service.spec.ts
@@ -124,6 +124,11 @@ describe(AuthService.name, () => {
 
       expect(mocks.user.getForChangePassword).toHaveBeenCalledWith(user.id);
       expect(mocks.crypto.compareBcrypt).toHaveBeenCalledWith('old-password', 'hash-password');
+      expect(mocks.event.emit).toHaveBeenCalledWith('UserPasswordChange', {
+        userId: user.id,
+        currentSessionId: auth.session?.id,
+        shouldLogoutSessions: false
+      });
     });
 
     it('should throw when password does not match existing password', async () => {
@@ -148,7 +153,7 @@ describe(AuthService.name, () => {
       await expect(sut.changePassword(auth, dto)).rejects.toBeInstanceOf(BadRequestException);
     });
 
-    it('should change the password and emmit UserLogoutOtherSessions', async () => {
+    it('should change the password and logout other sessions', async () => {
       const user = factory.userAdmin();
       const auth = factory.auth({ user });
       const dto = { password: 'old-password', newPassword: 'new-password', logOutOtherSessions: true };
@@ -160,9 +165,10 @@ describe(AuthService.name, () => {
 
       expect(mocks.user.getForChangePassword).toHaveBeenCalledWith(user.id);
       expect(mocks.crypto.compareBcrypt).toHaveBeenCalledWith('old-password', 'hash-password');
-      expect(mocks.event.emit).toHaveBeenCalledWith('UserLogoutOtherSessions', {
+      expect(mocks.event.emit).toHaveBeenCalledWith('UserPasswordChange', {
         userId: user.id,
         currentSessionId: auth.session?.id,
+        shouldLogoutSessions: true
       });
     });
   });
diff --git a/server/src/services/auth.service.ts b/server/src/services/auth.service.ts
index 81d27d47126d8..eed0038d5d7f4 100644
--- a/server/src/services/auth.service.ts
+++ b/server/src/services/auth.service.ts
@@ -104,12 +104,11 @@ export class AuthService extends BaseService {
 
     const updatedUser = await this.userRepository.update(user.id, { password: hashedPassword });
 
-    if (dto.logOutOtherSessions) {
-      await this.eventRepository.emit('UserLogoutOtherSessions', {
-        userId: auth.user.id,
-        currentSessionId: auth.session?.id,
-      });
-    }
+    await this.eventRepository.emit('UserPasswordChange', {
+      userId: auth.user.id,
+      currentSessionId: auth.session?.id,
+      shouldLogoutSessions: dto.logOutOtherSessions
+    });
 
     return mapUserAdmin(updatedUser);
   }
diff --git a/server/src/services/session.service.ts b/server/src/services/session.service.ts
index bd6856086fa3d..65d35ef1b3a93 100644
--- a/server/src/services/session.service.ts
+++ b/server/src/services/session.service.ts
@@ -75,16 +75,12 @@ export class SessionService extends BaseService {
     await this.sessionRepository.update(id, { pinExpiresAt: null });
   }
 
-  @OnEvent({ name: 'UserLogoutOtherSessions' })
-  async handleUserLogoutOtherSessions({ userId, currentSessionId }: ArgOf<'UserLogoutOtherSessions'>): Promise<void> {
-    await this.deleteAllSessionsForUser(userId, currentSessionId);
+  @OnEvent({ name: 'UserPasswordChange' })
+  async handleUserPasswordChange({ userId, currentSessionId }: ArgOf<'UserPasswordChange'>): Promise<void> {
+    await this.deleteAll(userId, currentSessionId);
   }
 
-  async deleteAll(auth: AuthDto): Promise<void> {
-    await this.deleteAllSessionsForUser(auth.user.id, auth.session?.id);
-  }
-
-  private async deleteAllSessionsForUser(userId: string, excludeSessionId?: string): Promise<void> {
+  async deleteAll(userId: string, excludeSessionId?: string): Promise<void> {
     const sessions = await this.sessionRepository.getByUserId(userId);
     for (const session of sessions) {
       if (session.id === excludeSessionId) {

From e4eacc66cf9c136bb9b8b3342c66ad8752d6480d Mon Sep 17 00:00:00 2001
From: MontejoJorge <jorgemon.lopez@gmail.com>
Date: Thu, 23 Oct 2025 19:50:21 +0200
Subject: [PATCH 07/14] fix tests

---
 server/src/services/auth.service.spec.ts    | 2 +-
 server/src/services/session.service.spec.ts | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/server/src/services/auth.service.spec.ts b/server/src/services/auth.service.spec.ts
index 9880a5ccd53ca..f2c444ac954cc 100644
--- a/server/src/services/auth.service.spec.ts
+++ b/server/src/services/auth.service.spec.ts
@@ -127,7 +127,7 @@ describe(AuthService.name, () => {
       expect(mocks.event.emit).toHaveBeenCalledWith('UserPasswordChange', {
         userId: user.id,
         currentSessionId: auth.session?.id,
-        shouldLogoutSessions: false
+        shouldLogoutSessions: undefined
       });
     });
 
diff --git a/server/src/services/session.service.spec.ts b/server/src/services/session.service.spec.ts
index 3cbad283896b4..ae16eb2912de9 100644
--- a/server/src/services/session.service.spec.ts
+++ b/server/src/services/session.service.spec.ts
@@ -49,7 +49,7 @@ describe('SessionService', () => {
       mocks.session.getByUserId.mockResolvedValue([currentSession, otherSession]);
       mocks.session.delete.mockResolvedValue();
 
-      await sut.deleteAll(auth);
+      await sut.deleteAll(auth.user.id, auth.session?.id);
 
       expect(mocks.session.getByUserId).toHaveBeenCalledWith(auth.user.id);
       expect(mocks.session.delete).toHaveBeenCalledWith(otherSession.id);

From ee16d2035cbea9e684a49c990bcb293b09d1f1f9 Mon Sep 17 00:00:00 2001
From: MontejoJorge <jorgemon.lopez@gmail.com>
Date: Thu, 23 Oct 2025 19:57:07 +0200
Subject: [PATCH 08/14] fix medium:test

---
 server/test/medium/specs/services/auth.service.spec.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/test/medium/specs/services/auth.service.spec.ts b/server/test/medium/specs/services/auth.service.spec.ts
index f8bc3f1259028..1fc306f790578 100644
--- a/server/test/medium/specs/services/auth.service.spec.ts
+++ b/server/test/medium/specs/services/auth.service.spec.ts
@@ -131,6 +131,7 @@ describe(AuthService.name, () => {
   describe('changePassword', () => {
     it('should change the password and login with it', async () => {
       const { sut, ctx } = setup();
+      ctx.getMock(EventRepository).emit.mockResolvedValue();
       const dto = { password: 'password', newPassword: 'new-password' };
       const passwordHashed = await hash(dto.password, 10);
       const { user } = await ctx.newUser({ password: passwordHashed });

From a1237a973578220a48174cadcb8dab526ed338f8 Mon Sep 17 00:00:00 2001
From: MontejoJorge <jorgemon.lopez@gmail.com>
Date: Thu, 23 Oct 2025 20:09:11 +0200
Subject: [PATCH 09/14] use ValidateBoolean

---
 server/src/dtos/auth.dto.ts | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/src/dtos/auth.dto.ts b/server/src/dtos/auth.dto.ts
index 07d6a8699b137..eae8ee826fd2c 100644
--- a/server/src/dtos/auth.dto.ts
+++ b/server/src/dtos/auth.dto.ts
@@ -1,10 +1,10 @@
 import { ApiProperty } from '@nestjs/swagger';
 import { Transform } from 'class-transformer';
-import { IsBoolean, IsEmail, IsNotEmpty, IsString, MinLength } from 'class-validator';
+import { IsEmail, IsNotEmpty, IsString, MinLength } from 'class-validator';
 import { AuthApiKey, AuthSession, AuthSharedLink, AuthUser, UserAdmin } from 'src/database';
 import { ImmichCookie, UserMetadataKey } from 'src/enum';
 import { UserMetadataItem } from 'src/types';
-import { Optional, PinCode, toEmail } from 'src/validation';
+import { Optional, PinCode, toEmail, ValidateBoolean } from 'src/validation';
 
 export type CookieResponse = {
   isSecure: boolean;
@@ -84,7 +84,7 @@ export class ChangePasswordDto {
   @ApiProperty({ example: 'password' })
   newPassword!: string;
 
-  @IsBoolean()
+  @ValidateBoolean({ optional: true })
   @Optional()
   @ApiProperty({ example: true })
   logOutOtherSessions?: boolean;

From 19febd8b6462d5b7a4c726ca89fdd0f31006107e Mon Sep 17 00:00:00 2001
From: MontejoJorge <jorgemon.lopez@gmail.com>
Date: Thu, 23 Oct 2025 20:15:03 +0200
Subject: [PATCH 10/14] fix format

---
 server/src/services/auth.service.spec.ts | 4 ++--
 server/src/services/auth.service.ts      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/src/services/auth.service.spec.ts b/server/src/services/auth.service.spec.ts
index f2c444ac954cc..f28f40c870a6a 100644
--- a/server/src/services/auth.service.spec.ts
+++ b/server/src/services/auth.service.spec.ts
@@ -127,7 +127,7 @@ describe(AuthService.name, () => {
       expect(mocks.event.emit).toHaveBeenCalledWith('UserPasswordChange', {
         userId: user.id,
         currentSessionId: auth.session?.id,
-        shouldLogoutSessions: undefined
+        shouldLogoutSessions: undefined,
       });
     });
 
@@ -168,7 +168,7 @@ describe(AuthService.name, () => {
       expect(mocks.event.emit).toHaveBeenCalledWith('UserPasswordChange', {
         userId: user.id,
         currentSessionId: auth.session?.id,
-        shouldLogoutSessions: true
+        shouldLogoutSessions: true,
       });
     });
   });
diff --git a/server/src/services/auth.service.ts b/server/src/services/auth.service.ts
index eed0038d5d7f4..98d0040d1ac51 100644
--- a/server/src/services/auth.service.ts
+++ b/server/src/services/auth.service.ts
@@ -107,7 +107,7 @@ export class AuthService extends BaseService {
     await this.eventRepository.emit('UserPasswordChange', {
       userId: auth.user.id,
       currentSessionId: auth.session?.id,
-      shouldLogoutSessions: dto.logOutOtherSessions
+      shouldLogoutSessions: dto.logOutOtherSessions,
     });
 
     return mapUserAdmin(updatedUser);

From 390ee2c6b8ef14659a1b7f2184e88dd40633983d Mon Sep 17 00:00:00 2001
From: MontejoJorge <jorgemon.lopez@gmail.com>
Date: Thu, 23 Oct 2025 20:43:21 +0200
Subject: [PATCH 11/14] dont delete current session id

---
 server/src/controllers/session.controller.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server/src/controllers/session.controller.ts b/server/src/controllers/session.controller.ts
index 055cf1aae568a..fa0b813ade836 100644
--- a/server/src/controllers/session.controller.ts
+++ b/server/src/controllers/session.controller.ts
@@ -28,7 +28,7 @@ export class SessionController {
   @Authenticated({ permission: Permission.SessionDelete })
   @HttpCode(HttpStatus.NO_CONTENT)
   deleteAllSessions(@Auth() auth: AuthDto): Promise<void> {
-    return this.service.deleteAll(auth.user.id);
+    return this.service.deleteAll(auth.user.id, auth.session?.id);
   }
 
   @Put(':id')

From 5576c90a23322bfc7cd7fb0de29666ee89355bf1 Mon Sep 17 00:00:00 2001
From: Jorge Montejo <jorgemon.lopez@gmail.com>
Date: Thu, 23 Oct 2025 22:06:40 +0200
Subject: [PATCH 12/14] Update server/src/dtos/auth.dto.ts

Co-authored-by: Daniel Dietzler <36593685+danieldietzler@users.noreply.github.com>
---
 server/src/dtos/auth.dto.ts | 2 --
 1 file changed, 2 deletions(-)

diff --git a/server/src/dtos/auth.dto.ts b/server/src/dtos/auth.dto.ts
index eae8ee826fd2c..d7fec176b6876 100644
--- a/server/src/dtos/auth.dto.ts
+++ b/server/src/dtos/auth.dto.ts
@@ -85,8 +85,6 @@ export class ChangePasswordDto {
   newPassword!: string;
 
   @ValidateBoolean({ optional: true })
-  @Optional()
-  @ApiProperty({ example: true })
   logOutOtherSessions?: boolean;
 }
 

From a0700d00bed742345198067da6faa66a13612215 Mon Sep 17 00:00:00 2001
From: MontejoJorge <jorgemon.lopez@gmail.com>
Date: Thu, 23 Oct 2025 22:28:48 +0200
Subject: [PATCH 13/14] rename event and invalidateOtherSessions

---
 .../openapi/lib/model/change_password_dto.dart | 18 +++++++++---------
 open-api/immich-openapi-specs.json             |  3 +--
 open-api/typescript-sdk/src/fetch-client.ts    |  2 +-
 server/src/controllers/auth.controller.spec.ts |  2 +-
 server/src/dtos/auth.dto.ts                    |  2 +-
 server/src/repositories/event.repository.ts    |  3 ++-
 server/src/services/auth.service.spec.ts       |  6 +++---
 server/src/services/auth.service.ts            |  4 ++--
 server/src/services/session.service.ts         |  4 ++--
 .../change-password-settings.svelte            |  6 +++---
 10 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/mobile/openapi/lib/model/change_password_dto.dart b/mobile/openapi/lib/model/change_password_dto.dart
index 3c3d2d4fb0fd0..bad7f6a4fbe6d 100644
--- a/mobile/openapi/lib/model/change_password_dto.dart
+++ b/mobile/openapi/lib/model/change_password_dto.dart
@@ -13,7 +13,7 @@ part of openapi.api;
 class ChangePasswordDto {
   /// Returns a new [ChangePasswordDto] instance.
   ChangePasswordDto({
-    this.logOutOtherSessions,
+    this.invalidateSessions,
     required this.newPassword,
     required this.password,
   });
@@ -24,7 +24,7 @@ class ChangePasswordDto {
   /// source code must fall back to having a nullable type.
   /// Consider adding a "default:" property in the specification file to hide this note.
   ///
-  bool? logOutOtherSessions;
+  bool? invalidateSessions;
 
   String newPassword;
 
@@ -32,26 +32,26 @@ class ChangePasswordDto {
 
   @override
   bool operator ==(Object other) => identical(this, other) || other is ChangePasswordDto &&
-    other.logOutOtherSessions == logOutOtherSessions &&
+    other.invalidateSessions == invalidateSessions &&
     other.newPassword == newPassword &&
     other.password == password;
 
   @override
   int get hashCode =>
     // ignore: unnecessary_parenthesis
-    (logOutOtherSessions == null ? 0 : logOutOtherSessions!.hashCode) +
+    (invalidateSessions == null ? 0 : invalidateSessions!.hashCode) +
     (newPassword.hashCode) +
     (password.hashCode);
 
   @override
-  String toString() => 'ChangePasswordDto[logOutOtherSessions=$logOutOtherSessions, newPassword=$newPassword, password=$password]';
+  String toString() => 'ChangePasswordDto[invalidateSessions=$invalidateSessions, newPassword=$newPassword, password=$password]';
 
   Map<String, dynamic> toJson() {
     final json = <String, dynamic>{};
-    if (this.logOutOtherSessions != null) {
-      json[r'logOutOtherSessions'] = this.logOutOtherSessions;
+    if (this.invalidateSessions != null) {
+      json[r'invalidateSessions'] = this.invalidateSessions;
     } else {
-    //  json[r'logOutOtherSessions'] = null;
+    //  json[r'invalidateSessions'] = null;
     }
       json[r'newPassword'] = this.newPassword;
       json[r'password'] = this.password;
@@ -67,7 +67,7 @@ class ChangePasswordDto {
       final json = value.cast<String, dynamic>();
 
       return ChangePasswordDto(
-        logOutOtherSessions: mapValueOfType<bool>(json, r'logOutOtherSessions'),
+        invalidateSessions: mapValueOfType<bool>(json, r'invalidateSessions'),
         newPassword: mapValueOfType<String>(json, r'newPassword')!,
         password: mapValueOfType<String>(json, r'password')!,
       );
diff --git a/open-api/immich-openapi-specs.json b/open-api/immich-openapi-specs.json
index e5f2ff42a4b35..2697b42f2fa22 100644
--- a/open-api/immich-openapi-specs.json
+++ b/open-api/immich-openapi-specs.json
@@ -11469,8 +11469,7 @@
       },
       "ChangePasswordDto": {
         "properties": {
-          "logOutOtherSessions": {
-            "example": true,
+          "invalidateSessions": {
             "type": "boolean"
           },
           "newPassword": {
diff --git a/open-api/typescript-sdk/src/fetch-client.ts b/open-api/typescript-sdk/src/fetch-client.ts
index b5c953f2336de..1ab3f08c31739 100644
--- a/open-api/typescript-sdk/src/fetch-client.ts
+++ b/open-api/typescript-sdk/src/fetch-client.ts
@@ -561,7 +561,7 @@ export type SignUpDto = {
     password: string;
 };
 export type ChangePasswordDto = {
-    logOutOtherSessions?: boolean;
+    invalidateSessions?: boolean;
     newPassword: string;
     password: string;
 };
diff --git a/server/src/controllers/auth.controller.spec.ts b/server/src/controllers/auth.controller.spec.ts
index ddc3617b8bfec..7dd145ff5cc53 100644
--- a/server/src/controllers/auth.controller.spec.ts
+++ b/server/src/controllers/auth.controller.spec.ts
@@ -183,7 +183,7 @@ describe(AuthController.name, () => {
     it('should be an authenticated route', async () => {
       await request(ctx.getHttpServer())
         .post('/auth/change-password')
-        .send({ password: 'password', newPassword: 'Password1234', logOutOtherSessions: false });
+        .send({ password: 'password', newPassword: 'Password1234', invalidateSessions: false });
       expect(ctx.authenticate).toHaveBeenCalled();
     });
   });
diff --git a/server/src/dtos/auth.dto.ts b/server/src/dtos/auth.dto.ts
index d7fec176b6876..b538545e522b6 100644
--- a/server/src/dtos/auth.dto.ts
+++ b/server/src/dtos/auth.dto.ts
@@ -85,7 +85,7 @@ export class ChangePasswordDto {
   newPassword!: string;
 
   @ValidateBoolean({ optional: true })
-  logOutOtherSessions?: boolean;
+  invalidateSessions?: boolean;
 }
 
 export class PinCodeSetupDto {
diff --git a/server/src/repositories/event.repository.ts b/server/src/repositories/event.repository.ts
index c54410b1426da..7023108426179 100644
--- a/server/src/repositories/event.repository.ts
+++ b/server/src/repositories/event.repository.ts
@@ -99,7 +99,8 @@ type EventMap = {
   /** user is permanently deleted */
   UserDelete: [UserEvent];
   UserRestore: [UserEvent];
-  UserPasswordChange: [{ userId: string; currentSessionId?: string; shouldLogoutSessions?: boolean }];
+
+  AuthChangePassword: [{ userId: string; currentSessionId?: string; shouldLogoutSessions?: boolean }];
 
   // websocket events
   WebsocketConnect: [{ userId: string }];
diff --git a/server/src/services/auth.service.spec.ts b/server/src/services/auth.service.spec.ts
index f28f40c870a6a..203d5b07bfd2e 100644
--- a/server/src/services/auth.service.spec.ts
+++ b/server/src/services/auth.service.spec.ts
@@ -124,7 +124,7 @@ describe(AuthService.name, () => {
 
       expect(mocks.user.getForChangePassword).toHaveBeenCalledWith(user.id);
       expect(mocks.crypto.compareBcrypt).toHaveBeenCalledWith('old-password', 'hash-password');
-      expect(mocks.event.emit).toHaveBeenCalledWith('UserPasswordChange', {
+      expect(mocks.event.emit).toHaveBeenCalledWith('AuthChangePassword', {
         userId: user.id,
         currentSessionId: auth.session?.id,
         shouldLogoutSessions: undefined,
@@ -156,7 +156,7 @@ describe(AuthService.name, () => {
     it('should change the password and logout other sessions', async () => {
       const user = factory.userAdmin();
       const auth = factory.auth({ user });
-      const dto = { password: 'old-password', newPassword: 'new-password', logOutOtherSessions: true };
+      const dto = { password: 'old-password', newPassword: 'new-password', invalidateSessions: true };
 
       mocks.user.getForChangePassword.mockResolvedValue({ id: user.id, password: 'hash-password' });
       mocks.user.update.mockResolvedValue(user);
@@ -165,7 +165,7 @@ describe(AuthService.name, () => {
 
       expect(mocks.user.getForChangePassword).toHaveBeenCalledWith(user.id);
       expect(mocks.crypto.compareBcrypt).toHaveBeenCalledWith('old-password', 'hash-password');
-      expect(mocks.event.emit).toHaveBeenCalledWith('UserPasswordChange', {
+      expect(mocks.event.emit).toHaveBeenCalledWith('AuthChangePassword', {
         userId: user.id,
         currentSessionId: auth.session?.id,
         shouldLogoutSessions: true,
diff --git a/server/src/services/auth.service.ts b/server/src/services/auth.service.ts
index 98d0040d1ac51..a00ceceeba2a3 100644
--- a/server/src/services/auth.service.ts
+++ b/server/src/services/auth.service.ts
@@ -104,10 +104,10 @@ export class AuthService extends BaseService {
 
     const updatedUser = await this.userRepository.update(user.id, { password: hashedPassword });
 
-    await this.eventRepository.emit('UserPasswordChange', {
+    await this.eventRepository.emit('AuthChangePassword', {
       userId: auth.user.id,
       currentSessionId: auth.session?.id,
-      shouldLogoutSessions: dto.logOutOtherSessions,
+      shouldLogoutSessions: dto.invalidateSessions,
     });
 
     return mapUserAdmin(updatedUser);
diff --git a/server/src/services/session.service.ts b/server/src/services/session.service.ts
index 65d35ef1b3a93..ed3fe470087e6 100644
--- a/server/src/services/session.service.ts
+++ b/server/src/services/session.service.ts
@@ -75,8 +75,8 @@ export class SessionService extends BaseService {
     await this.sessionRepository.update(id, { pinExpiresAt: null });
   }
 
-  @OnEvent({ name: 'UserPasswordChange' })
-  async handleUserPasswordChange({ userId, currentSessionId }: ArgOf<'UserPasswordChange'>): Promise<void> {
+  @OnEvent({ name: 'AuthChangePassword' })
+  async onEventAuthChangePassword({ userId, currentSessionId }: ArgOf<'AuthChangePassword'>): Promise<void> {
     await this.deleteAll(userId, currentSessionId);
   }
 
diff --git a/web/src/lib/components/user-settings-page/change-password-settings.svelte b/web/src/lib/components/user-settings-page/change-password-settings.svelte
index 68555715ddb0d..9a476ee5d6cc3 100644
--- a/web/src/lib/components/user-settings-page/change-password-settings.svelte
+++ b/web/src/lib/components/user-settings-page/change-password-settings.svelte
@@ -15,11 +15,11 @@
   let password = $state('');
   let newPassword = $state('');
   let confirmPassword = $state('');
-  let logOutOtherSessions = $state(false);
+  let invalidateSessions = $state(false);
 
   const handleChangePassword = async () => {
     try {
-      await changePassword({ changePasswordDto: { password, newPassword, logOutOtherSessions } });
+      await changePassword({ changePasswordDto: { password, newPassword, invalidateSessions } });
 
       notificationController.show({
         message: $t('updated_password'),
@@ -74,7 +74,7 @@
         <SettingSwitch
           title={$t('log_out_all_devices')}
           subtitle={$t('change_password_form_log_out_description')}
-          bind:checked={logOutOtherSessions}
+          bind:checked={invalidateSessions}
         />
 
         <div class="flex justify-end">

From 53fe0eb03e73dd6a8d8b40eec20f4f15d2d6ea2f Mon Sep 17 00:00:00 2001
From: Jason Rasmussen <jason@rasm.me>
Date: Mon, 27 Oct 2025 09:09:18 -0400
Subject: [PATCH 14/14] chore: cleanup

---
 .../lib/model/change_password_dto.dart        | 18 ++++-------------
 open-api/immich-openapi-specs.json            |  1 +
 server/src/controllers/session.controller.ts  |  2 +-
 server/src/dtos/auth.dto.ts                   |  2 +-
 server/src/queries/session.repository.sql     |  6 ++++++
 server/src/repositories/event.repository.ts   |  2 +-
 server/src/repositories/session.repository.ts |  9 +++++++++
 server/src/services/auth.service.spec.ts      |  2 +-
 server/src/services/auth.service.ts           |  4 ++--
 server/src/services/session.service.spec.ts   | 10 +++-------
 server/src/services/session.service.ts        | 20 ++++++++-----------
 11 files changed, 37 insertions(+), 39 deletions(-)

diff --git a/mobile/openapi/lib/model/change_password_dto.dart b/mobile/openapi/lib/model/change_password_dto.dart
index bad7f6a4fbe6d..4a897f4079aca 100644
--- a/mobile/openapi/lib/model/change_password_dto.dart
+++ b/mobile/openapi/lib/model/change_password_dto.dart
@@ -13,18 +13,12 @@ part of openapi.api;
 class ChangePasswordDto {
   /// Returns a new [ChangePasswordDto] instance.
   ChangePasswordDto({
-    this.invalidateSessions,
+    this.invalidateSessions = false,
     required this.newPassword,
     required this.password,
   });
 
-  ///
-  /// Please note: This property should have been non-nullable! Since the specification file
-  /// does not include a default value (using the "default:" property), however, the generated
-  /// source code must fall back to having a nullable type.
-  /// Consider adding a "default:" property in the specification file to hide this note.
-  ///
-  bool? invalidateSessions;
+  bool invalidateSessions;
 
   String newPassword;
 
@@ -39,7 +33,7 @@ class ChangePasswordDto {
   @override
   int get hashCode =>
     // ignore: unnecessary_parenthesis
-    (invalidateSessions == null ? 0 : invalidateSessions!.hashCode) +
+    (invalidateSessions.hashCode) +
     (newPassword.hashCode) +
     (password.hashCode);
 
@@ -48,11 +42,7 @@ class ChangePasswordDto {
 
   Map<String, dynamic> toJson() {
     final json = <String, dynamic>{};
-    if (this.invalidateSessions != null) {
       json[r'invalidateSessions'] = this.invalidateSessions;
-    } else {
-    //  json[r'invalidateSessions'] = null;
-    }
       json[r'newPassword'] = this.newPassword;
       json[r'password'] = this.password;
     return json;
@@ -67,7 +57,7 @@ class ChangePasswordDto {
       final json = value.cast<String, dynamic>();
 
       return ChangePasswordDto(
-        invalidateSessions: mapValueOfType<bool>(json, r'invalidateSessions'),
+        invalidateSessions: mapValueOfType<bool>(json, r'invalidateSessions') ?? false,
         newPassword: mapValueOfType<String>(json, r'newPassword')!,
         password: mapValueOfType<String>(json, r'password')!,
       );
diff --git a/open-api/immich-openapi-specs.json b/open-api/immich-openapi-specs.json
index 2697b42f2fa22..d8a55e47e0afd 100644
--- a/open-api/immich-openapi-specs.json
+++ b/open-api/immich-openapi-specs.json
@@ -11470,6 +11470,7 @@
       "ChangePasswordDto": {
         "properties": {
           "invalidateSessions": {
+            "default": false,
             "type": "boolean"
           },
           "newPassword": {
diff --git a/server/src/controllers/session.controller.ts b/server/src/controllers/session.controller.ts
index fa0b813ade836..cbe8158fee598 100644
--- a/server/src/controllers/session.controller.ts
+++ b/server/src/controllers/session.controller.ts
@@ -28,7 +28,7 @@ export class SessionController {
   @Authenticated({ permission: Permission.SessionDelete })
   @HttpCode(HttpStatus.NO_CONTENT)
   deleteAllSessions(@Auth() auth: AuthDto): Promise<void> {
-    return this.service.deleteAll(auth.user.id, auth.session?.id);
+    return this.service.deleteAll(auth);
   }
 
   @Put(':id')
diff --git a/server/src/dtos/auth.dto.ts b/server/src/dtos/auth.dto.ts
index b538545e522b6..d700fc2ab8ba2 100644
--- a/server/src/dtos/auth.dto.ts
+++ b/server/src/dtos/auth.dto.ts
@@ -84,7 +84,7 @@ export class ChangePasswordDto {
   @ApiProperty({ example: 'password' })
   newPassword!: string;
 
-  @ValidateBoolean({ optional: true })
+  @ValidateBoolean({ optional: true, default: false })
   invalidateSessions?: boolean;
 }
 
diff --git a/server/src/queries/session.repository.sql b/server/src/queries/session.repository.sql
index 831a16342a63b..b39964640986c 100644
--- a/server/src/queries/session.repository.sql
+++ b/server/src/queries/session.repository.sql
@@ -74,6 +74,12 @@ delete from "session"
 where
   "id" = $1::uuid
 
+-- SessionRepository.invalidate
+delete from "session"
+where
+  "userId" = $1
+  and "id" != $2
+
 -- SessionRepository.lockAll
 update "session"
 set
diff --git a/server/src/repositories/event.repository.ts b/server/src/repositories/event.repository.ts
index 7023108426179..97e51fffa2940 100644
--- a/server/src/repositories/event.repository.ts
+++ b/server/src/repositories/event.repository.ts
@@ -100,7 +100,7 @@ type EventMap = {
   UserDelete: [UserEvent];
   UserRestore: [UserEvent];
 
-  AuthChangePassword: [{ userId: string; currentSessionId?: string; shouldLogoutSessions?: boolean }];
+  AuthChangePassword: [{ userId: string; currentSessionId?: string; invalidateSessions?: boolean }];
 
   // websocket events
   WebsocketConnect: [{ userId: string }];
diff --git a/server/src/repositories/session.repository.ts b/server/src/repositories/session.repository.ts
index cdc0ab12db7f0..52292b8e4ab78 100644
--- a/server/src/repositories/session.repository.ts
+++ b/server/src/repositories/session.repository.ts
@@ -101,6 +101,15 @@ export class SessionRepository {
     await this.db.deleteFrom('session').where('id', '=', asUuid(id)).execute();
   }
 
+  @GenerateSql({ params: [{ userId: DummyValue.UUID, excludeId: DummyValue.UUID }] })
+  async invalidate({ userId, excludeId }: { userId: string; excludeId?: string }) {
+    await this.db
+      .deleteFrom('session')
+      .where('userId', '=', userId)
+      .$if(!!excludeId, (qb) => qb.where('id', '!=', excludeId!))
+      .execute();
+  }
+
   @GenerateSql({ params: [DummyValue.UUID] })
   async lockAll(userId: string) {
     await this.db.updateTable('session').set({ pinExpiresAt: null }).where('userId', '=', userId).execute();
diff --git a/server/src/services/auth.service.spec.ts b/server/src/services/auth.service.spec.ts
index 203d5b07bfd2e..a34efedfb0cb3 100644
--- a/server/src/services/auth.service.spec.ts
+++ b/server/src/services/auth.service.spec.ts
@@ -167,8 +167,8 @@ describe(AuthService.name, () => {
       expect(mocks.crypto.compareBcrypt).toHaveBeenCalledWith('old-password', 'hash-password');
       expect(mocks.event.emit).toHaveBeenCalledWith('AuthChangePassword', {
         userId: user.id,
+        invalidateSessions: true,
         currentSessionId: auth.session?.id,
-        shouldLogoutSessions: true,
       });
     });
   });
diff --git a/server/src/services/auth.service.ts b/server/src/services/auth.service.ts
index a00ceceeba2a3..1a68bbfce7ed5 100644
--- a/server/src/services/auth.service.ts
+++ b/server/src/services/auth.service.ts
@@ -105,9 +105,9 @@ export class AuthService extends BaseService {
     const updatedUser = await this.userRepository.update(user.id, { password: hashedPassword });
 
     await this.eventRepository.emit('AuthChangePassword', {
-      userId: auth.user.id,
+      userId: user.id,
       currentSessionId: auth.session?.id,
-      shouldLogoutSessions: dto.invalidateSessions,
+      invalidateSessions: dto.invalidateSessions,
     });
 
     return mapUserAdmin(updatedUser);
diff --git a/server/src/services/session.service.spec.ts b/server/src/services/session.service.spec.ts
index ae16eb2912de9..7eacd148ad72b 100644
--- a/server/src/services/session.service.spec.ts
+++ b/server/src/services/session.service.spec.ts
@@ -43,17 +43,13 @@ describe('SessionService', () => {
   describe('logoutDevices', () => {
     it('should logout all devices', async () => {
       const currentSession = factory.session();
-      const otherSession = factory.session();
       const auth = factory.auth({ session: currentSession });
 
-      mocks.session.getByUserId.mockResolvedValue([currentSession, otherSession]);
-      mocks.session.delete.mockResolvedValue();
+      mocks.session.invalidate.mockResolvedValue();
 
-      await sut.deleteAll(auth.user.id, auth.session?.id);
+      await sut.deleteAll(auth);
 
-      expect(mocks.session.getByUserId).toHaveBeenCalledWith(auth.user.id);
-      expect(mocks.session.delete).toHaveBeenCalledWith(otherSession.id);
-      expect(mocks.session.delete).not.toHaveBeenCalledWith(currentSession.id);
+      expect(mocks.session.invalidate).toHaveBeenCalledWith({ userId: auth.user.id, excludeId: currentSession.id });
     });
   });
 
diff --git a/server/src/services/session.service.ts b/server/src/services/session.service.ts
index ed3fe470087e6..2f477c0d6a721 100644
--- a/server/src/services/session.service.ts
+++ b/server/src/services/session.service.ts
@@ -70,23 +70,19 @@ export class SessionService extends BaseService {
     await this.sessionRepository.delete(id);
   }
 
+  async deleteAll(auth: AuthDto): Promise<void> {
+    const userId = auth.user.id;
+    const currentSessionId = auth.session?.id;
+    await this.sessionRepository.invalidate({ userId, excludeId: currentSessionId });
+  }
+
   async lock(auth: AuthDto, id: string): Promise<void> {
     await this.requireAccess({ auth, permission: Permission.SessionLock, ids: [id] });
     await this.sessionRepository.update(id, { pinExpiresAt: null });
   }
 
   @OnEvent({ name: 'AuthChangePassword' })
-  async onEventAuthChangePassword({ userId, currentSessionId }: ArgOf<'AuthChangePassword'>): Promise<void> {
-    await this.deleteAll(userId, currentSessionId);
-  }
-
-  async deleteAll(userId: string, excludeSessionId?: string): Promise<void> {
-    const sessions = await this.sessionRepository.getByUserId(userId);
-    for (const session of sessions) {
-      if (session.id === excludeSessionId) {
-        continue;
-      }
-      await this.sessionRepository.delete(session.id);
-    }
+  async onAuthChangePassword({ userId, currentSessionId }: ArgOf<'AuthChangePassword'>): Promise<void> {
+    await this.sessionRepository.invalidate({ userId, excludeId: currentSessionId });
   }
 }