Make the 'and also log out all my devices' behaviour of password reset optional.

[lampholder]

Password reset signs out all of your sessions.

The 'password reset' and 'log out all devices' actions do not need to be inseparable. If you suspect your account has been compromised then logging out your other devices is important. In (I think) all other cases it is overkill.

Can we make a backwards-compatible change to the password reset API by adding an optional "and log out all my devices" parameter which defaults to 'true'?

[richvdh]

Related to #6963, though that seems to be about regular password changes rather than password resets.

[clokep]

As far as I can tell this is a duplicate of #6963 since the code paths converge into the same password reset flow (i.e you eventually end up at /_matrix/client/r0/account/password).

Regardless I'll look into this.

[richvdh]

@neilisfragile to discuss the UX implications of this with @lampholder

[neilisfragile]

After irl, we want the option to specify via the API but default to the current behaviour. So exactly as @lampholder describes above.

The idea being that the client can support ' I've been hacked, delete all devices!!!' flow along side a 'oh I just want to update my password' flow.

[richvdh]

After irl, we want the option to specify via the API but default to the current behaviour.

the spec changes needed for this are at matrix-org/matrix-spec-proposals#2457.

[clokep]

Done in #7085.