fix(backend): make access tokens revocable via session validation
The auth middleware trusted any unexpired, well-signed access token, so logout, session termination and admin blocks had no effect until the 15-minute token expired. The middleware now validates that the token's session is still active on every request (SessionRepo.GetByID), and blocking a user deactivates all of their sessions, immediately revoking their outstanding access tokens. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -132,6 +132,9 @@ type UserRepo interface {
|
||||
type SessionRepo interface {
|
||||
// ListByUser returns all active sessions for a user.
|
||||
ListByUser(ctx context.Context, userID int16) (*domain.SessionList, error)
|
||||
// GetByID returns an active session by its ID, or ErrNotFound if it does not
|
||||
// exist or has been deactivated.
|
||||
GetByID(ctx context.Context, id int) (*domain.Session, error)
|
||||
// GetByTokenHash looks up a session by the hashed refresh token.
|
||||
GetByTokenHash(ctx context.Context, hash string) (*domain.Session, error)
|
||||
Create(ctx context.Context, s *domain.Session) (*domain.Session, error)
|
||||
|
||||
Reference in New Issue
Block a user