Call /auth/revoke-user on L1s during logout

L2 now calls /auth/revoke-user (revokes by username) instead of /auth/revoke (revokes by token), because L1 has scoped tokens that differ from L2's own token. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 22:22:22 +00:00
parent 5ebfdac887
commit 64749af3fc
1 changed files with 5 additions and 4 deletions
--- a/server.py
+++ b/server.py
@@ -543,17 +543,18 @@ async def logout(request: Request):
        expires_at = datetime.fromtimestamp(claims.get("exp", 0), tz=timezone.utc)
        await db.revoke_token(token_hash, username, expires_at)

-        # Revoke token on all attached L1 renderers
+        # Revoke ALL tokens for this user on attached L1 renderers
+        # (L1 may have scoped tokens different from L2's token)
        attached = await db.get_user_renderers(username)
        for l1_url in attached:
            try:
                requests.post(
-                    f"{l1_url}/auth/revoke",
-                    headers={"Authorization": f"Bearer {token}"},
+                    f"{l1_url}/auth/revoke-user",
+                    json={"username": username, "l2_server": f"https://{DOMAIN}"},
                    timeout=5
                )
            except Exception as e:
-                logger.warning(f"Failed to revoke token on {l1_url}: {e}")
+                logger.warning(f"Failed to revoke user tokens on {l1_url}: {e}")

        # Remove all attachments for this user
        for l1_url in attached: