diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index e4ef25bc765..35f0b987614 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -405,6 +405,31 @@ RSpec.describe User do
     end
   end
 
+  describe '#revoke_access!' do
+    subject(:user) { Fabricate(:user, disabled: false, current_sign_in_at: current_sign_in_at, last_sign_in_at: nil) }
+
+    let(:current_sign_in_at) { Time.zone.now }
+
+    let!(:token) { Fabricate(:accessible_access_token, resource_owner_id: user.id) }
+
+    let(:redis_pipeline_stub) { instance_double(Redis::PipelinedConnection, publish: nil) }
+
+    before do
+      allow(redis)
+        .to receive(:pipelined)
+        .and_yield(redis_pipeline_stub)
+    end
+
+    it 'revokes tokens' do
+      user.revoke_access!
+
+      expect(redis_pipeline_stub)
+        .to have_received(:publish).with("timeline:access_token:#{token.id}", { event: :kill }.to_json).once
+
+      expect(token.reload.revoked?).to be true
+    end
+  end
+
   describe '#enable!' do
     subject(:user) { Fabricate(:user, disabled: true) }
 
diff --git a/spec/system/auth/passwords_spec.rb b/spec/system/auth/passwords_spec.rb
index 83853d68fa9..55f9c689384 100644
--- a/spec/system/auth/passwords_spec.rb
+++ b/spec/system/auth/passwords_spec.rb
@@ -11,7 +11,14 @@ RSpec.describe 'Auth Passwords' do
   describe 'Resetting a password', :inline_jobs do
     let(:new_password) { 'New.Pass.123' }
 
-    before { allow(Devise).to receive(:pam_authentication).and_return(false) } # Avoid the "seamless external" path
+    before do
+      allow(Devise).to receive(:pam_authentication).and_return(false) # Avoid the "seamless external" path
+
+      # Disable wrapstodon to avoid redis calls that we don't want to stub
+      Setting.wrapstodon = false
+
+      allow(redis).to receive(:publish)
+    end
 
     it 'initiates reset, sends link, resets password from form, clears data' do
       visit new_user_password_path
@@ -31,6 +38,10 @@ RSpec.describe 'Auth Passwords' do
         .to be_present
         .and be_valid_password(new_password)
 
+      # Disables the token associated with the session
+      expect(redis)
+        .to have_received(:publish).with("timeline:access_token:#{session_activation.access_token.id}", { event: :kill }.to_json).once
+
       # Deactivate session
       expect(user_session_count)
         .to eq(0)
diff --git a/spec/system/streaming/streaming_spec.rb b/spec/system/streaming/streaming_spec.rb
index f5d3ba11426..53aa6f21f71 100644
--- a/spec/system/streaming/streaming_spec.rb
+++ b/spec/system/streaming/streaming_spec.rb
@@ -75,6 +75,23 @@ RSpec.describe 'Streaming', :inline_jobs, :streaming do
     end
   end
 
+  context 'when destroying a session activation tied to the used token' do
+    let(:session_activation) { Fabricate(:session_activation, user: user) }
+    let(:token) { session_activation.access_token }
+
+    it 'disconnects the client' do
+      streaming_client.connect
+
+      expect(streaming_client.status).to eq(101)
+      expect(streaming_client.open?).to be(true)
+
+      session_activation.destroy!
+
+      expect(streaming_client.wait_for(:closed).code).to be(1000)
+      expect(streaming_client.open?).to be(false)
+    end
+  end
+
   context 'with a disabled user account' do
     before do
       user.disable!