6bb26522a1
- OAuthGrant model tracks each client authorization, tied to the account session (issuer_session) that issued it - OAuth authorize creates grant + code together - Client apps store grant_token in session, verify via account's internal /auth/internal/verify-grant endpoint (Redis-cached 60s) - Account logout revokes only grants from that device's session - Replaces iframe-based logout with server-side grant revocation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
31 lines
1.4 KiB
Python
31 lines
1.4 KiB
Python
from __future__ import annotations
|
|
from datetime import datetime
|
|
from sqlalchemy import String, Integer, DateTime, ForeignKey, func, Index
|
|
from sqlalchemy.orm import Mapped, mapped_column, relationship
|
|
from shared.db.base import Base
|
|
|
|
|
|
class OAuthGrant(Base):
|
|
"""Long-lived grant tracking each client-app session authorization.
|
|
|
|
Created when the OAuth authorize endpoint issues a code. Tied to the
|
|
account session that issued it (``issuer_session``) so that logging out
|
|
on one device revokes only that device's grants.
|
|
"""
|
|
__tablename__ = "oauth_grants"
|
|
|
|
id: Mapped[int] = mapped_column(Integer, primary_key=True, autoincrement=True)
|
|
token: Mapped[str] = mapped_column(String(128), unique=True, nullable=False)
|
|
user_id: Mapped[int] = mapped_column(ForeignKey("users.id", ondelete="CASCADE"), nullable=False, index=True)
|
|
client_id: Mapped[str] = mapped_column(String(64), nullable=False)
|
|
issuer_session: Mapped[str] = mapped_column(String(128), nullable=False, index=True)
|
|
created_at: Mapped[datetime] = mapped_column(DateTime(timezone=True), nullable=False, server_default=func.now())
|
|
revoked_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True), nullable=True)
|
|
|
|
user = relationship("User", backref="oauth_grants")
|
|
|
|
__table_args__ = (
|
|
Index("ix_oauth_grant_token", "token", unique=True),
|
|
Index("ix_oauth_grant_issuer", "issuer_session"),
|
|
)
|