update all sessions when changing admin permissions instead of deleting

src/lib/server/session.ts

@@ -46,6 +46,12 @@ export function getSession(
 	return session;
 }
 
+export function updateAllUserSessions(userId: number, options: { permissions: Permissions }) {
+	for (const session of sessions.filter((v) => v.userId == userId)) {
+		session.permissions = options.permissions;
+	}
+}
+
 export function deleteSession(sessionId: string | Cookies) {
 	const session = sessionFromId(sessionId);
 	if (session) {
@@ -54,5 +60,5 @@ export function deleteSession(sessionId: string | Cookies) {
 }
 
 export function deleteAllUserSessions(userId: number) {
-	sessions = sessions.filter((v) => v.userId == userId);
+	sessions = sessions.filter((v) => v.userId != userId);
 }

src/routes/admin/admin/+server.ts

@@ -1,6 +1,12 @@
 import type { RequestHandler } from '@sveltejs/kit';
 import { Permissions } from '$lib/permissions';
-import { addSession, deleteAllUserSessions, deleteSession, getSession } from '$lib/server/session';
+import {
+	addSession,
+	deleteAllUserSessions,
+	deleteSession,
+	getSession,
+	updateAllUserSessions
+} from '$lib/server/session';
 import { Admin } from '$lib/server/database';
 import { env as publicEnv } from '$env/dynamic/public';
 
@@ -62,13 +68,7 @@ export const PATCH = (async ({ request, cookies }) => {
 	}
 	user = await user.update(updatePayload);
 
-	deleteSession(cookies);
+	updateAllUserSessions(user.id, { permissions: user.permissions });
-	cookies.set('session', addSession(user), {
-		path: `${publicEnv.PUBLIC_BASE_PATH}/admin`,
-		maxAge: 60 * 60 * 24 * 90,
-		httpOnly: true,
-		secure: true
-	});
 
 	return new Response();
 }) satisfies RequestHandler;