Don't logout the current session when setting up TFA

src/main/java/cc/pulseapp/api/model/user/session/Session.java

@@ -3,6 +3,7 @@ package cc.pulseapp.api.model.user.session;
 import cc.pulseapp.api.model.user.User;
 import com.fasterxml.jackson.annotation.JsonIgnore;
 import lombok.AllArgsConstructor;
+import lombok.EqualsAndHashCode;
 import lombok.Getter;
 import lombok.NonNull;
 import org.springframework.data.annotation.Id;
@@ -14,13 +15,13 @@ import org.springframework.data.redis.core.index.Indexed;
  *
  * @author Braydon
  */
-@AllArgsConstructor @Getter
+@AllArgsConstructor @Getter @EqualsAndHashCode(onlyExplicitlyIncluded = true)
 @RedisHash(value = "sessions", timeToLive = 30 * 24 * 60 * 60) // Expire in 30 days (days, hours, mins, secs)
 public final class Session {
     /**
      * The snowflake of this session.
      */
-    @Id @JsonIgnore private final long snowflake;
+    @EqualsAndHashCode.Include @Id @JsonIgnore private final long snowflake;
 
     /**
      * The snowflake of the user this session is for.

src/main/java/cc/pulseapp/api/service/UserService.java

@@ -2,6 +2,7 @@ package cc.pulseapp.api.service;
 
 import cc.pulseapp.api.common.HashUtils;
 import cc.pulseapp.api.common.StringUtils;
+import cc.pulseapp.api.common.Tuple;
 import cc.pulseapp.api.exception.impl.BadRequestException;
 import cc.pulseapp.api.model.IGenericResponse;
 import cc.pulseapp.api.model.org.Organization;
@@ -13,6 +14,7 @@ import cc.pulseapp.api.model.user.input.CompleteOnboardingInput;
 import cc.pulseapp.api.model.user.input.EnableTFAInput;
 import cc.pulseapp.api.model.user.input.UserExistsInput;
 import cc.pulseapp.api.model.user.response.UserSetupTFAResponse;
+import cc.pulseapp.api.model.user.session.Session;
 import cc.pulseapp.api.repository.SessionRepository;
 import cc.pulseapp.api.repository.UserRepository;
 import com.github.benmanes.caffeine.cache.Cache;
@@ -181,7 +183,9 @@ public final class UserService {
         if (input == null || (!input.isValid())) { // Ensure the input was provided
             throw new BadRequestException(Error.MALFORMED_ENABLE_TFA_INPUT);
         }
-        User user = authService.getAuthenticatedUser();
+        Tuple<Session, User> sessionAndUser = authService.getSessionAndUser();
+        Session session = sessionAndUser.getLeft();
+        User user = sessionAndUser.getRight();
         if (user.hasFlag(UserFlag.TFA_ENABLED)) { // Ensure TFA isn't already on
             throw new BadRequestException(Error.TFA_ALREADY_ENABLED);
         }
@@ -211,7 +215,9 @@ public final class UserService {
         userRepository.save(user);
 
         // And finally invalidate all of the sessions for the user
-        sessionRepository.deleteAll(sessionRepository.findAllByUserSnowflake(user.getSnowflake()));
+        List<Session> sessions = sessionRepository.findAllByUserSnowflake(user.getSnowflake());
+        sessions.removeIf(activeSession -> activeSession.equals(session));
+        sessionRepository.deleteAll(sessions);
 
         return originalBackupCodes;
     }