--- a/mod_sasl2_fast/mod_sasl2_fast.lua	Mon Mar 27 23:19:09 2023 +0200
+++ b/mod_sasl2_fast/mod_sasl2_fast.lua	Tue Mar 28 12:43:05 2023 +0100
@@ -1,3 +1,5 @@
+local usermanager = require "core.usermanager";
+
 local sasl = require "util.sasl";
 local dt = require "util.datetime";
 local id = require "util.id";
@@ -38,6 +40,8 @@
 
 local function new_token_tester(hmac_f)
 	return function (mechanism, username, client_id, token_hash, cb_data, invalidate)
+		local account_info = usermanager.get_account_info(username, module.host);
+		local last_password_change = account_info and account_info.password_updated;
 		local tried_current_token = false;
 		local key = hash.sha256(client_id, true).."-new";
 		local token;
@@ -52,6 +56,12 @@
 						log("debug", "Token found, but it has expired (%ds ago). Cleaning up...", current_time - token.expires_at);
 						token_store:set(username, key, nil);
 						return nil, "credentials-expired";
+					elseif last_password_change and token.issued_at < last_password_change then
+						log("debug", "Token found, but issued prior to password change (%ds ago). Cleaning up...",
+							current_time - last_password_change
+						);
+						token_store:set(username, key, nil);
+						return nil, "credentials-expired";
 					end
 					if not tried_current_token and not invalidate then
 						-- The new token is becoming the current token