feat(auth): SA4 — server-side session revocation via per-user session epoch
Signed client-side session cookies had no server-side kill switch: logout + password reset couldn't evict a stolen/copied cookie (valid until expiry). Add User.session_epoch (migration 0053), record it in the cookie at every login, and reject in current_user any cookie whose recorded epoch is behind the account's current one. - Bump the epoch on: password reset (kills ALL sessions — a reset is a compromise response), password change + a new 'Log out other sessions' action (both re-stamp the CURRENT cookie so the caller stays signed in, evicting only the others). - Per-account epoch map in the session so one account's revocation doesn't evict the other signed-in accounts in the same browser wallet. - Missing epoch (pre-SA4 cookie) is treated as 0, so the first bump revokes grandfathered sessions too. - New POST /auth/logout-others + a Settings → Account 'Active sessions' button (trilingual).
This commit is contained in:
parent
a65915ea11
commit
95d1549570
8 changed files with 155 additions and 1 deletions
|
|
@ -308,11 +308,36 @@ function AccessRow({
|
|||
function SignInMethods({ me }: { me: Me }) {
|
||||
const { t } = useTranslation();
|
||||
const qc = useQueryClient();
|
||||
const confirm = useConfirm();
|
||||
const [open, setOpen] = useState(false);
|
||||
const [current, setCurrent] = useState("");
|
||||
const [next, setNext] = useState("");
|
||||
const [err, setErr] = useState<string | null>(null);
|
||||
const [busy, setBusy] = useState(false);
|
||||
const [sessBusy, setSessBusy] = useState(false);
|
||||
|
||||
// SA4: sign every OTHER session for this account out (this one stays). For a shared/left-behind
|
||||
// device or a suspected compromise.
|
||||
const logoutOthers = async () => {
|
||||
if (
|
||||
!(await confirm({
|
||||
title: t("settings.account.sessions.confirmTitle"),
|
||||
message: t("settings.account.sessions.confirmBody"),
|
||||
confirmLabel: t("settings.account.sessions.action"),
|
||||
danger: true,
|
||||
}))
|
||||
)
|
||||
return;
|
||||
setSessBusy(true);
|
||||
try {
|
||||
await api.logoutOthers();
|
||||
notify({ level: "success", message: t("settings.account.sessions.done") });
|
||||
} catch {
|
||||
notify({ level: "error", message: t("settings.account.sessions.failed") });
|
||||
} finally {
|
||||
setSessBusy(false);
|
||||
}
|
||||
};
|
||||
|
||||
const submit = async (e: React.FormEvent) => {
|
||||
e.preventDefault();
|
||||
|
|
@ -422,6 +447,24 @@ function SignInMethods({ me }: { me: Me }) {
|
|||
</form>
|
||||
)}
|
||||
</div>
|
||||
|
||||
<div className="border-t border-border mt-1 pt-1">
|
||||
<div className="flex items-start justify-between gap-3 py-2">
|
||||
<div className="min-w-0">
|
||||
<div className="text-sm font-medium">{t("settings.account.sessions.title")}</div>
|
||||
<p className="text-xs text-muted leading-relaxed mt-0.5">
|
||||
{t("settings.account.sessions.hint")}
|
||||
</p>
|
||||
</div>
|
||||
<button
|
||||
onClick={logoutOthers}
|
||||
disabled={sessBusy}
|
||||
className="shrink-0 glass-card glass-hover px-3 py-1.5 rounded-xl text-sm transition disabled:opacity-40"
|
||||
>
|
||||
{t("settings.account.sessions.action")}
|
||||
</button>
|
||||
</div>
|
||||
</div>
|
||||
</Section>
|
||||
);
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue