Call /auth/revoke-user on L1s during logout
L2 now calls /auth/revoke-user (revokes by username) instead of /auth/revoke (revokes by token), because L1 has scoped tokens that differ from L2's own token. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
gilesb
@@ -543,17 +543,18 @@ async def logout(request: Request):
|
|||||||
expires_at = datetime.fromtimestamp(claims.get("exp", 0), tz=timezone.utc)
|
expires_at = datetime.fromtimestamp(claims.get("exp", 0), tz=timezone.utc)
|
||||||
await db.revoke_token(token_hash, username, expires_at)
|
await db.revoke_token(token_hash, username, expires_at)
|
||||||
|
|
||||||
# Revoke token on all attached L1 renderers
|
# Revoke ALL tokens for this user on attached L1 renderers
|
||||||
|
# (L1 may have scoped tokens different from L2's token)
|
||||||
attached = await db.get_user_renderers(username)
|
attached = await db.get_user_renderers(username)
|
||||||
for l1_url in attached:
|
for l1_url in attached:
|
||||||
try:
|
try:
|
||||||
requests.post(
|
requests.post(
|
||||||
f"{l1_url}/auth/revoke",
|
f"{l1_url}/auth/revoke-user",
|
||||||
headers={"Authorization": f"Bearer {token}"},
|
json={"username": username, "l2_server": f"https://{DOMAIN}"},
|
||||||
timeout=5
|
timeout=5
|
||||||
)
|
)
|
||||||
except Exception as e:
|
except Exception as e:
|
||||||
logger.warning(f"Failed to revoke token on {l1_url}: {e}")
|
logger.warning(f"Failed to revoke user tokens on {l1_url}: {e}")
|
||||||
|
|
||||||
# Remove all attachments for this user
|
# Remove all attachments for this user
|
||||||
for l1_url in attached:
|
for l1_url in attached:
|
||||||
|
|||||||
Reference in New Issue
Block a user