fix(api): revoke the native refresh-token family on logout #390
Labels
No labels
area:auth
area:ci
area:db
area:infra
area:native
area:pwa
area:service
epic
feature
foundation
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
james/carol#390
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Follow-up to #385 (native logout now clears the local SecureStore tokens).
Gap
/api/auth/logout(apps/api/app/api/auth/logout/route.ts) only revokes the webcarol_sessioncookie. For native clients (bearer access + refresh tokens, ADR-0027), logout discards the tokens locally but the refresh-token family stays valid server-side until it expires (≤30 days,REFRESH_TOKEN_TTL_SECONDS). A token extracted from a device before logout — or a device that logged out offline — remains usable until then.Work
getAuthHeader) →AccessTokensRepository.revoke(id), andRefreshTokensRepository.revokeFamily(familyId).apps/api/db/repositories/{access-tokens,refresh-tokens}.ts).{ refreshToken }, optional) so the server can resolve the family; alternatively resolve the family from the access token. Validate with zod, keep RFC 7807 errors, regenerate the OpenAPI contract.apps/client/lib/auth/logout.tsperformLogout) sends the refresh token (read fromgetRefreshToken()) before clearing it locally. Best-effort: a failed revoke must not block the local logout./api/auth/refreshwith that token is rejected; web cookie logout unchanged.Out of scope
Revoking all of a user's sessions/devices on logout (this is per-device). A "sign out everywhere" affordance would be a separate feature.