fix(auth): decrypt the access-token fallback before revoking on account deletion

purge_user's revoke used `decrypt(refresh) or tok.access_token`, but access_token is
stored ENCRYPTED — so a token row without a refresh token would send ciphertext to
Google's revoke endpoint and silently fail. Decrypt it. (Pre-existing; surfaced by the
review of the OAuth-scope fix.)
This commit is contained in:
npeter83 2026-07-12 04:52:31 +02:00
parent 9e6c90bcaf
commit 0850f6a13b

View file

@ -440,7 +440,9 @@ def purge_user(db: Session, user: User, background: BackgroundTasks) -> None:
email = user.email.lower() email = user.email.lower()
user_id = user.id user_id = user.id
tok = user.token tok = user.token
google_token = (decrypt(tok.refresh_token_enc) or tok.access_token) if tok else None # Both are stored encrypted — decrypt for the revoke call (the access-token fallback was passing
# ciphertext, so a token row with no refresh token silently failed to revoke).
google_token = (decrypt(tok.refresh_token_enc) or decrypt(tok.access_token)) if tok else None
# Raw delete so Postgres applies ON DELETE CASCADE / SET NULL on every dependent table. # Raw delete so Postgres applies ON DELETE CASCADE / SET NULL on every dependent table.
db.execute(delete(User).where(User.id == user_id)) db.execute(delete(User).where(User.id == user_id))
db.execute(delete(Invite).where(Invite.email == email)) db.execute(delete(Invite).where(Invite.email == email))