Add OAuth grants for per-device session revocation

- OAuthGrant model tracks each client authorization, tied to the account session (issuer_session) that issued it - OAuth authorize creates grant + code together - Client apps store grant_token in session, verify via account's internal /auth/internal/verify-grant endpoint (Redis-cached 60s) - Account logout revokes only grants from that device's session - Replaces iframe-based logout with server-side grant revocation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 12:30:08 +00:00
parent 9a637c6227
commit 6bb26522a1
6 changed files with 133 additions and 10 deletions
--- a/alembic/versions/q7o5l1m3n4_add_oauth_grants_table.py
+++ b/alembic/versions/q7o5l1m3n4_add_oauth_grants_table.py
@@ -0,0 +1,39 @@
+"""Add oauth_grants table
+
+Revision ID: q7o5l1m3n4
+Revises: p6n4k0l2m3
+"""
+from alembic import op
+import sqlalchemy as sa
+
+revision = "q7o5l1m3n4"
+down_revision = "p6n4k0l2m3"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.create_table(
+        "oauth_grants",
+        sa.Column("id", sa.Integer, primary_key=True, autoincrement=True),
+        sa.Column("token", sa.String(128), unique=True, nullable=False),
+        sa.Column("user_id", sa.Integer, sa.ForeignKey("users.id", ondelete="CASCADE"), nullable=False),
+        sa.Column("client_id", sa.String(64), nullable=False),
+        sa.Column("issuer_session", sa.String(128), nullable=False),
+        sa.Column("created_at", sa.DateTime(timezone=True), nullable=False, server_default=sa.func.now()),
+        sa.Column("revoked_at", sa.DateTime(timezone=True), nullable=True),
+    )
+    op.create_index("ix_oauth_grant_token", "oauth_grants", ["token"], unique=True)
+    op.create_index("ix_oauth_grant_issuer", "oauth_grants", ["issuer_session"])
+    op.create_index("ix_oauth_grant_user", "oauth_grants", ["user_id"])
+
+    # Add grant_token column to oauth_codes to link code → grant
+    op.add_column("oauth_codes", sa.Column("grant_token", sa.String(128), nullable=True))
+
+
+def downgrade():
+    op.drop_column("oauth_codes", "grant_token")
+    op.drop_index("ix_oauth_grant_user", table_name="oauth_grants")
+    op.drop_index("ix_oauth_grant_issuer", table_name="oauth_grants")
+    op.drop_index("ix_oauth_grant_token", table_name="oauth_grants")
+    op.drop_table("oauth_grants")