feat(auth): SA4 — server-side session revocation via per-user session epoch
Signed client-side session cookies had no server-side kill switch: logout + password reset couldn't evict a stolen/copied cookie (valid until expiry). Add User.session_epoch (migration 0053), record it in the cookie at every login, and reject in current_user any cookie whose recorded epoch is behind the account's current one. - Bump the epoch on: password reset (kills ALL sessions — a reset is a compromise response), password change + a new 'Log out other sessions' action (both re-stamp the CURRENT cookie so the caller stays signed in, evicting only the others). - Per-account epoch map in the session so one account's revocation doesn't evict the other signed-in accounts in the same browser wallet. - Missing epoch (pre-SA4 cookie) is treated as 0, so the first bump revokes grandfathered sessions too. - New POST /auth/logout-others + a Settings → Account 'Active sessions' button (trilingual).
This commit is contained in:
parent
a65915ea11
commit
95d1549570
8 changed files with 155 additions and 1 deletions
|
|
@ -97,6 +97,15 @@
|
|||
"saving": "Saving…",
|
||||
"saved": "Password updated for {{email}}.",
|
||||
"failed": "Couldn't update the password."
|
||||
},
|
||||
"sessions": {
|
||||
"title": "Active sessions",
|
||||
"hint": "Sign this account out everywhere else — handy if you left it signed in on a shared or lost device. You stay signed in here.",
|
||||
"action": "Log out other sessions",
|
||||
"confirmTitle": "Log out other sessions?",
|
||||
"confirmBody": "This signs you out of every other browser and device. You'll stay signed in here.",
|
||||
"done": "Signed out of all other sessions.",
|
||||
"failed": "Couldn't sign out other sessions. Please try again."
|
||||
}
|
||||
},
|
||||
"demo": {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue