Add OAuth grants for per-device session revocation

- OAuthGrant model tracks each client authorization, tied to the account session (issuer_session) that issued it - OAuth authorize creates grant + code together - Client apps store grant_token in session, verify via account's internal /auth/internal/verify-grant endpoint (Redis-cached 60s) - Account logout revokes only grants from that device's session - Replaces iframe-based logout with server-side grant revocation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-23 12:30:08 +00:00
parent 9a637c6227
commit 6bb26522a1
6 changed files with 133 additions and 10 deletions
--- a/models/init.py
+++ b/models/init.py
@@ -2,6 +2,7 @@ from .user import User
 from .kv import KV
 from .magic_link import MagicLink
 from .oauth_code import OAuthCode
+from .oauth_grant import OAuthGrant
 from .menu_item import MenuItem

 from .ghost_membership_entities import (
--- a/models/oauth_code.py
+++ b/models/oauth_code.py
@@ -15,6 +15,7 @@ class OAuthCode(Base):
    redirect_uri: Mapped[str] = mapped_column(String(512), nullable=False)
    expires_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False)
    used_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True), nullable=True)
+    grant_token: Mapped[str | None] = mapped_column(String(128), nullable=True)
    created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False, server_default=func.now())

    user = relationship("User", backref="oauth_codes")
--- a/models/oauth_grant.py
+++ b/models/oauth_grant.py
@@ -0,0 +1,30 @@
+from __future__ import annotations
+from datetime import datetime
+from sqlalchemy import String, Integer, DateTime, ForeignKey, func, Index
+from sqlalchemy.orm import Mapped, mapped_column, relationship
+from shared.db.base import Base
+
+
+class OAuthGrant(Base):
+    """Long-lived grant tracking each client-app session authorization.
+
+    Created when the OAuth authorize endpoint issues a code.  Tied to the
+    account session that issued it (``issuer_session``) so that logging out
+    on one device revokes only that device's grants.
+    """
+    __tablename__ = "oauth_grants"
+
+    id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
+    token: Mapped[str] = mapped_column(String(128), unique=True, nullable=False)
+    user_id: Mapped[int] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
+    client_id: Mapped[str] = mapped_column(String(64), nullable=False)
+    issuer_session: Mapped[str] = mapped_column(String(128), nullable=False, index=True)
+    created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False, server_default=func.now())
+    revoked_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True), nullable=True)
+
+    user = relationship("User", backref="oauth_grants")
+
+    __table_args__ = (
+        Index("ix_oauth_grant_token", "token", unique=True),
+        Index("ix_oauth_grant_issuer", "issuer_session"),
+    )