From 984ef9c65e358154a2233fd339f50c087d5e9dcd Mon Sep 17 00:00:00 2001
From: giles <giles.bradshaw@rose-ash.com>
Date: Thu, 26 Feb 2026 12:17:53 +0000
Subject: [PATCH] Fix session security: clear stale sessions after DB rebuild

Two issues fixed:
- Sessions with uid but no grant_token (legacy or corrupt) were not
  validated at all, allowing a user to be logged in as whoever got
  their old numeric user ID after a DB rebuild
- DB errors during grant verification silently kept stale sessions
  alive; now treated as invalid to fail-safe

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 shared/infrastructure/factory.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/shared/infrastructure/factory.py b/shared/infrastructure/factory.py
index 0d3f208..5c29852 100644
--- a/shared/infrastructure/factory.py
+++ b/shared/infrastructure/factory.py
@@ -175,6 +175,13 @@ def create_base_app(
                 auth_redis = None
 
             # Case 1: logged in — verify grant still valid (direct DB, cached)
+            if uid and not grant_token:
+                # Legacy session without grant token — clear it
+                qs.pop("uid", None)
+                qs.pop("cart_sid", None)
+                g.user = None
+                uid = None
+
             if uid and grant_token:
                 cache_key = f"grant:{grant_token}"
                 if auth_redis:
@@ -201,7 +208,7 @@ def create_base_app(
                         )
                         valid = grant is not None and grant.revoked_at is None
                 except Exception:
-                    return  # DB error — don't log user out
+                    valid = False  # DB error — treat as invalid
 
                 if auth_redis:
                     await auth_redis.set(cache_key, b"ok" if valid else b"revoked", ex=60)