fix(auth): tighten refresh session revocation

2026-05-13 15:04:37 +08:00
parent b13870f71b
commit 4fecf9c975
36 changed files with 1664 additions and 170 deletions
--- a/server-rs/crates/api-server/src/password_management.rs
+++ b/server-rs/crates/api-server/src/password_management.rs
@@ -15,7 +15,8 @@ use crate::{
    auth::AuthenticatedAccessToken,
    auth_payload::map_auth_user_payload,
    auth_session::{
-        attach_set_cookie_header, build_refresh_session_cookie_header, create_auth_session,
+        attach_set_cookie_header, build_clear_refresh_session_cookie_header,
+        build_refresh_session_cookie_header, create_auth_session,
        record_daily_login_tracking_event_after_auth_success,
    },
    http_error::AppError,
@@ -30,14 +31,17 @@ pub async fn change_password(
    Extension(request_context): Extension<RequestContext>,
    Extension(authenticated): Extension<AuthenticatedAccessToken>,
    Json(payload): Json<PasswordChangeRequest>,
-) -> Result<Json<serde_json::Value>, AppError> {
+) -> Result<impl IntoResponse, AppError> {
    let result = state
        .password_entry_service()
-        .change_password(ChangePasswordInput {
-            user_id: authenticated.claims().user_id().to_string(),
-            current_password: payload.current_password,
-            new_password: payload.new_password,
-        })
+        .change_password_and_revoke_all_sessions(
+            ChangePasswordInput {
+                user_id: authenticated.claims().user_id().to_string(),
+                current_password: payload.current_password,
+                new_password: payload.new_password,
+            },
+            OffsetDateTime::now_utc(),
+        )
        .await
        .map_err(map_password_management_error)?;
    state
@@ -48,11 +52,20 @@ pub async fn change_password(
                .with_message(format!("同步认证快照失败：{error}"))
        })?;

-    Ok(json_success_body(
-        Some(&request_context),
-        PasswordChangeResponse {
-            user: map_auth_user_payload(result.user),
-        },
+    let mut headers = HeaderMap::new();
+    attach_set_cookie_header(
+        &mut headers,
+        build_clear_refresh_session_cookie_header(&state)?,
+    );
+
+    Ok((
+        headers,
+        json_success_body(
+            Some(&request_context),
+            PasswordChangeResponse {
+                user: map_auth_user_payload(result.user),
+            },
+        ),
    ))
 }