Fix session security: clear stale sessions after DB rebuild

Two issues fixed: - Sessions with uid but no grant_token (legacy or corrupt) were not validated at all, allowing a user to be logged in as whoever got their old numeric user ID after a DB rebuild - DB errors during grant verification silently kept stale sessions alive; now treated as invalid to fail-safe Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 12:17:53 +00:00
parent 6f0965aa9c
commit 984ef9c65e
1 changed files with 8 additions and 1 deletions
--- a/shared/infrastructure/factory.py
+++ b/shared/infrastructure/factory.py
@@ -175,6 +175,13 @@ def create_base_app(
                auth_redis = None

            # Case 1: logged in — verify grant still valid (direct DB, cached)
+            if uid and not grant_token:
+                # Legacy session without grant token — clear it
+                qs.pop("uid", None)
+                qs.pop("cart_sid", None)
+                g.user = None
+                uid = None
+
            if uid and grant_token:
                cache_key = f"grant:{grant_token}"
                if auth_redis:
@@ -201,7 +208,7 @@ def create_base_app(
                        )
                        valid = grant is not None and grant.revoked_at is None
                except Exception:
-                    return  # DB error — don't log user out
+                    valid = False  # DB error — treat as invalid

                if auth_redis:
                    await auth_redis.set(cache_key, b"ok" if valid else b"revoked", ex=60)