Ensure password resets revoke access to Streaming API

app/models/user.rb

@@ -359,6 +359,13 @@ class User < ApplicationRecord
     Doorkeeper::AccessToken.by_resource_owner(self).in_batches do |batch|
       batch.update_all(revoked_at: Time.now.utc)
       Web::PushSubscription.where(access_token_id: batch).delete_all
+
+      # Revoke each access token for the Streaming API, since `update_all``
+      # doesn't trigger ActiveRecord Callbacks:
+      # TODO: #28793 Combine into a single topic
+      batch.each do |token|
+        redis.publish("timeline:access_token:#{token.id}", Oj.dump(event: :kill))
+      end
     end
   end
 

spec/models/user_spec.rb

@@ -439,6 +439,7 @@ RSpec.describe User do
     let!(:web_push_subscription) { Fabricate(:web_push_subscription, access_token: access_token) }
 
     before do
+      allow(redis).to receive_messages(publish: nil)
       user.reset_password!
     end
 
@@ -455,6 +456,10 @@ RSpec.describe User do
       expect(Doorkeeper::AccessToken.active_for(user).count).to eq 0
     end
 
+    it 'revokes streaming access for all access tokens' do
+      expect(redis).to have_received(:publish).with("timeline:access_token:#{access_token.id}", Oj.dump(event: :kill)).once
+    end
+
     it 'removes push subscriptions' do
       expect(Web::PushSubscription.where(user: user).or(Web::PushSubscription.where(access_token: access_token)).count).to eq 0
       expect { web_push_subscription.reload }.to raise_error(ActiveRecord::RecordNotFound)