diff --git a/backend/app/routes/messages.py b/backend/app/routes/messages.py index 5800220..6089550 100644 --- a/backend/app/routes/messages.py +++ b/backend/app/routes/messages.py @@ -376,7 +376,7 @@ async def messages_ws(ws: WebSocket) -> None: # SA4: honour server-side session revocation on the live channel too — reject a cookie whose # recorded epoch is behind the account's current one (mirrors current_user). Without this a # copied cookie could keep receiving pushes after a password reset / "log out everywhere". - epochs = (ws.session if "session" in ws.scope else {}).get("epochs") or {} + epochs = ws.session.get("epochs") or {} epoch_ok = user is not None and int(epochs.get(str(uid), 0)) == (user.session_epoch or 0) ok = epoch_ok and is_messageable_user(user) finally: