tech/tanabata
1
1
Fork 0
Code Pull Requests Actions Releases Activity

fix(backend): make access tokens revocable via session validation

Browse Source 
The auth middleware trusted any unexpired, well-signed access token, so
logout, session termination and admin blocks had no effect until the
15-minute token expired. The middleware now validates that the token's
session is still active on every request (SessionRepo.GetByID), and
blocking a user deactivates all of their sessions, immediately revoking
their outstanding access tokens.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Masahiko AMANO
2026-06-10 14:09:25 +03:00
parent fa2acca858
commit 4645107ea1
7 changed files with 47 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/internal/integration/server_test.go
+1 -1
View File
@@ -131,7 +131,7 @@ func setupSuite(t *testing.T) *harness {
categorySvc := service.NewCategoryService(categoryRepo, tagRepo, aclSvc, auditSvc)
poolSvc := service.NewPoolService(poolRepo, aclSvc, auditSvc)
fileSvc := service.NewFileService(fileRepo, mimeRepo, diskStorage, aclSvc, auditSvc, tagSvc, transactor, filesDir)
userSvc := service.NewUserService(userRepo, auditSvc)
userSvc := service.NewUserService(userRepo, sessionRepo, auditSvc)
// Bootstrap the admin account the suite logs in with (replaces the old
// hardcoded seed credentials).