Clear session cookie when account signals logout via inbox

Check did_auth:{device_id} in Redis — if absent while user has a session cookie, account has logged out. Clear the cookie so next request triggers prompt=none which won't re-auth. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 01:26:17 +00:00
parent 80b423034d
commit 7ec5609aac
1 changed files with 14 additions and 1 deletions
--- a/app/init.py
+++ b/app/init.py
@@ -72,8 +72,21 @@ def create_app() -> FastAPI:
        ):
            return await call_next(request)

-        # Already logged in
+        # Already logged in — but verify account hasn't logged out
        if get_user_from_cookie(request):
+            device_id = getattr(request.state, "device_id", None)
+            if device_id:
+                try:
+                    from .dependencies import get_redis_client
+                    r = get_redis_client()
+                    if not r.get(f"did_auth:{device_id}"):
+                        # Account logged out — clear our cookie
+                        response = await call_next(request)
+                        response.delete_cookie("artdag_session")
+                        response.delete_cookie("pnone_at")
+                        return response
+                except Exception:
+                    pass
            return await call_next(request)

        # Check cooldown — don't re-check within 5 minutes