fix(auth): tighten refresh session revocation

2026-05-13 15:04:37 +08:00
parent b13870f71b
commit 4fecf9c975
36 changed files with 1664 additions and 170 deletions
--- a/server-rs/crates/api-server/src/auth.rs
+++ b/server-rs/crates/api-server/src/auth.rs
@@ -117,6 +117,34 @@ pub async fn require_bearer_auth(
            .with_message("当前登录态已失效，请重新登录"));
    }

+    let session_is_active = state
+        .refresh_session_service()
+        .is_session_active_for_user(
+            claims.user_id(),
+            claims.session_id(),
+            OffsetDateTime::now_utc(),
+        )
+        .map_err(|error| {
+            warn!(
+                %request_id,
+                user_id = %claims.user_id(),
+                session_id = %claims.session_id(),
+                error = %error,
+                "Bearer JWT refresh session 状态读取失败"
+            );
+            AppError::from_status(StatusCode::INTERNAL_SERVER_ERROR)
+        })?;
+    if !session_is_active {
+        warn!(
+            %request_id,
+            user_id = %claims.user_id(),
+            session_id = %claims.session_id(),
+            "Bearer JWT 对应 refresh session 已失效"
+        );
+        return Err(AppError::from_status(StatusCode::UNAUTHORIZED)
+            .with_message("当前登录态已失效，请重新登录"));
+    }
+
    request
        .extensions_mut()
        .insert(AuthenticatedAccessToken::new(claims.clone()));