fix(auth): bulk-revoke sessions on password and role change

A stolen JWT used to survive a password reset for its full 24h. Now every
session-invalidating change moves the user's tokens_valid_from cutoff to
'now', so all of that user's prior tokens 401 on next use:

- self change-password, admin reset-password, role change all bump the
  cutoff (delete needs no bump: the row is gone, so the user lookup 401s).
- Cutoff is compared against the token's iat floored to whole seconds, so a
  re-login in the same second as the change isn't caught by its own
  revocation (the cost is a <=1s grey zone on same-second-old tokens).
- Per-user: changing one user never revokes another.

decnet/web/dependencies.py

@@ -195,8 +195,13 @@ async def _resolve_token(token: str) -> tuple[str, dict[str, Any]]:
     if not jti:
         raise _CREDENTIALS_EXCEPTION
     # 2. Bulk cutoff: password/role change moves tokens_valid_from forward.
+    #    JWT iat is whole-seconds, so floor the cutoff to whole seconds too —
+    #    otherwise a re-login landing in the SAME second as the change gets an
+    #    iat that truncates below a sub-second cutoff and is wrongly rejected.
+    #    Cost: tokens issued earlier in that same second survive (≤1s), which is
+    #    negligible against a 24h lifetime.
     cutoff = user.get("tokens_valid_from")
-    if cutoff is not None and _epoch(payload.get("iat", 0)) < _epoch(cutoff):
+    if cutoff is not None and _epoch(payload.get("iat", 0)) < int(_epoch(cutoff)):
         raise _CREDENTIALS_EXCEPTION
     # 3. Single-token denylist (logout).
     if await _is_revoked_cached(jti):

decnet/web/router/auth/api_change_pass.py

@@ -1,4 +1,5 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
+from datetime import datetime, timezone
 from typing import Any, Optional
 
 from fastapi import APIRouter, Depends, HTTPException, status
@@ -32,5 +33,8 @@ async def change_password(request: ChangePasswordRequest, current_user: str = De
 
     _new_hash: str = await ahash_password(request.new_password)
     await repo.update_user_password(current_user, _new_hash, must_change_password=False)
+    # Changing a password revokes every existing session for this user (incl.
+    # the current one): the caller's next request 401s and re-authenticates.
+    await repo.set_tokens_valid_from(current_user, datetime.now(timezone.utc))
     invalidate_user_cache(current_user)
     return {"message": "Password updated successfully"}

decnet/web/router/config/api_manage_users.py

@@ -1,5 +1,6 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 import uuid as _uuid
+from datetime import datetime, timezone
 
 from fastapi import APIRouter, Depends, HTTPException
 
@@ -77,6 +78,8 @@ async def api_delete_user(
     deleted = await repo.delete_user(user_uuid)
     if not deleted:
         raise HTTPException(status_code=404, detail="User not found")
+    # No token bump needed: the user row is gone, so _resolve_token already
+    # 401s any of their tokens (user lookup returns None).
     invalidate_user_cache(user_uuid)
     invalidate_list_users_cache()
     return {"message": "User deleted"}
@@ -108,6 +111,9 @@ async def api_update_user_role(
         raise HTTPException(status_code=404, detail="User not found")
 
     await repo.update_user_role(user_uuid, req.role)
+    # Revoke the target's sessions so a privilege change can't be outrun by an
+    # in-flight token carrying the old role.
+    await repo.set_tokens_valid_from(user_uuid, datetime.now(timezone.utc))
     invalidate_user_cache(user_uuid)
     invalidate_list_users_cache()
     return {"message": "User role updated"}
@@ -140,6 +146,9 @@ async def api_reset_user_password(
         await ahash_password(req.new_password),
         must_change_password=True,
     )
+    # Admin reset implies the old credential is burned — revoke the target's
+    # existing sessions so a leaked token can't survive the reset.
+    await repo.set_tokens_valid_from(user_uuid, datetime.now(timezone.utc))
     invalidate_user_cache(user_uuid)
     invalidate_list_users_cache()
     return {"message": "Password reset successfully"}