fix(auth): decrypt the access-token fallback before revoking on account deletion
purge_user's revoke used `decrypt(refresh) or tok.access_token`, but access_token is stored ENCRYPTED — so a token row without a refresh token would send ciphertext to Google's revoke endpoint and silently fail. Decrypt it. (Pre-existing; surfaced by the review of the OAuth-scope fix.)
This commit is contained in:
parent
9e6c90bcaf
commit
0850f6a13b
1 changed files with 3 additions and 1 deletions
|
|
@ -440,7 +440,9 @@ def purge_user(db: Session, user: User, background: BackgroundTasks) -> None:
|
|||
email = user.email.lower()
|
||||
user_id = user.id
|
||||
tok = user.token
|
||||
google_token = (decrypt(tok.refresh_token_enc) or tok.access_token) if tok else None
|
||||
# Both are stored encrypted — decrypt for the revoke call (the access-token fallback was passing
|
||||
# ciphertext, so a token row with no refresh token silently failed to revoke).
|
||||
google_token = (decrypt(tok.refresh_token_enc) or decrypt(tok.access_token)) if tok else None
|
||||
# Raw delete so Postgres applies ON DELETE CASCADE / SET NULL on every dependent table.
|
||||
db.execute(delete(User).where(User.id == user_id))
|
||||
db.execute(delete(Invite).where(Invite.email == email))
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue