feat(auth): logout endpoint revokes the presented token

POST /auth/logout adds the caller's jti to the denylist and drops the local negative-cache entry, so the token 401s on its very next use. Single-session semantics: only this token dies, other sessions for the same user keep working. Reachable for must_change_password users (it runs the revocation checks but skips the must_change gate via get_token_claims) so a session can always be ended; an already-revoked token is rejected.
2026-05-30 18:21:16 -04:00
parent 698ecaa322
commit c82897193e
4 changed files with 130 additions and 3 deletions
--- a/decnet/web/dependencies.py
+++ b/decnet/web/dependencies.py
@@ -219,13 +219,15 @@ async def _resolve_request(request: Request) -> tuple[str, dict[str, Any]]:
    return await _resolve_token(token)


-def get_token_claims(request: Request) -> dict[str, Any]:
+async def get_token_claims(request: Request) -> dict[str, Any]:
    """Return the validated claims of the presented Bearer token (decode +
-    signature + revocation checks). Used by logout, which needs the token's own
-    ``jti``/``exp`` to denylist *this* session even for must_change users."""
+    signature + user-exists + revocation checks, but NOT must_change). Used by
+    logout, which needs the token's own ``jti``/``exp`` to denylist *this*
+    session — and must still reject an already-revoked token."""
    token = _bearer_from_header(request)
    if not token:
        raise _CREDENTIALS_EXCEPTION
+    await _resolve_token(token)  # enforce user-exists + revocation; raises 401
    return _decode_payload(token)