Instant logout detection: skip grant cache when did_auth cleared

When account logs out it deletes did_auth:{device_id} from Redis. If that key is gone, bypass the 60s grant cache and re-check the DB immediately, detecting the revoked grant on the first request. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-24 01:30:21 +00:00
parent beac1b3dab
commit e7d180912b
1 changed files with 4 additions and 1 deletions
--- a/infrastructure/factory.py
+++ b/infrastructure/factory.py
@@ -172,8 +172,11 @@ def create_base_app(
            if uid and grant_token:
                cache_key = f"grant:{grant_token}"
                if redis:
+                    # Quick check: if did_auth was cleared (logout), skip cache
+                    device_id = g.device_id
+                    did_auth_present = await redis.get(f"did_auth:{device_id}") if device_id else True
                    cached = await redis.get(cache_key)
-                    if cached == b"ok":
+                    if cached == b"ok" and did_auth_present:
                        return
                    if cached == b"revoked":
                        qs.pop("uid", None)