aKinderWellness Testing and Quality analysis

After changing the account password using the /api/admin/password endpoint, previously issued JWT tokens remain valid and can still be used to access protected API endpoints.
This behavior allows any attacker who has obtained a valid JWT token to continue accessing the account even after the legitimate user changes their password.
For sensitive accounts such as Admin / Super Admin, this poses a significant security risk because password change does not effectively terminate existing authenticated sessions.

Steps to Reproduce

1. Login as an admin user and obtain a JWT token.
2. Send a password change request: POST /api/admin/password
3. After the password is successfully changed, continue using the same JWT token to access protected API endpoints.
4. Observe that the requests are still accepted.

Actual Result
Previously issued JWT tokens remain valid even after the password is changed.

Expected Result
All previously issued JWT tokens should be invalidated after a password change to ensure that any potentially compromised tokens cannot continue to access the account.

Security Impact
If an attacker obtains a valid JWT token through:
XSS attacks
Token leakage
Browser storage access
Network interception

they will retain access to the account even after the user changes their password.

The request has been added to the Postman team workspace for easier replay and API verification.