fix(auth): tighten refresh session revocation

2026-05-13 15:04:37 +08:00
parent b13870f71b
commit 4fecf9c975
36 changed files with 1664 additions and 170 deletions
--- a/server-rs/crates/api-server/src/state.rs
+++ b/server-rs/crates/api-server/src/state.rs
@@ -600,6 +600,54 @@ impl AppState {

 #[cfg(test)]
 impl AppState {
+    pub(crate) fn seed_test_refresh_session_for_user(
+        &self,
+        user: &module_auth::AuthUser,
+        seed: &str,
+    ) -> String {
+        let session = self
+            .refresh_session_service()
+            .create_session(
+                module_auth::CreateRefreshSessionInput {
+                    user_id: user.id.clone(),
+                    refresh_token_hash: platform_auth::hash_refresh_session_token(&format!(
+                        "test-refresh-token-{seed}"
+                    )),
+                    issued_by_provider: module_auth::AuthLoginMethod::Password,
+                    client_info: module_auth::RefreshSessionClientInfo {
+                        client_type: "web_browser".to_string(),
+                        client_runtime: "test".to_string(),
+                        client_platform: "test".to_string(),
+                        client_instance_id: Some(seed.to_string()),
+                        device_fingerprint: Some(format!("test-device-{seed}")),
+                        device_display_name: "Test Browser".to_string(),
+                        mini_program_app_id: None,
+                        mini_program_env: None,
+                        user_agent: Some("GenarrativeApiServerTest/1.0".to_string()),
+                        ip: Some("127.0.0.1".to_string()),
+                    },
+                },
+                OffsetDateTime::now_utc(),
+            )
+            .expect("test refresh session should create");
+
+        session.session.session_id
+    }
+
+    pub(crate) fn seed_test_refresh_session_for_user_id(
+        &self,
+        user_id: &str,
+        seed: &str,
+    ) -> String {
+        let user = self
+            .auth_user_service()
+            .get_user_by_id(user_id)
+            .expect("test user lookup should succeed")
+            .expect("test user should exist");
+
+        self.seed_test_refresh_session_for_user(&user, seed)
+    }
+
    fn cache_test_creation_entry_config(&self, config: CreationEntryConfigResponse) {
        *self
            .test_creation_entry_config