tech/tanabata
1
1
Fork 0
Code Pull Requests Actions Releases Activity

fix(backend): make access tokens revocable via session validation

Browse Source 
The auth middleware trusted any unexpired, well-signed access token, so
logout, session termination and admin blocks had no effect until the
15-minute token expired. The middleware now validates that the token's
session is still active on every request (SessionRepo.GetByID), and
blocking a user deactivates all of their sessions, immediately revoking
their outstanding access tokens.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Masahiko AMANO
2026-06-10 14:09:25 +03:00
parent fa2acca858
commit 4645107ea1
7 changed files with 47 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/cmd/server/main.go
+1 -1
View File
@@ -92,7 +92,7 @@ func main() {
transactor,
cfg.ImportPath,
)
userSvc := service.NewUserService(userRepo, auditSvc)
userSvc := service.NewUserService(userRepo, sessionRepo, auditSvc)
// Bootstrap the initial administrator (idempotent).
if err := userSvc.EnsureAdmin(context.Background(), cfg.AdminUsername, cfg.AdminPassword); err != nil {