anti
9fc489258b
A stolen JWT used to survive a password reset for its full 24h. Now every session-invalidating change moves the user's tokens_valid_from cutoff to 'now', so all of that user's prior tokens 401 on next use: - self change-password, admin reset-password, role change all bump the cutoff (delete needs no bump: the row is gone, so the user lookup 401s). - Cutoff is compared against the token's iat floored to whole seconds, so a re-login in the same second as the change isn't caught by its own revocation (the cost is a <=1s grey zone on same-second-old tokens). - Per-user: changing one user never revokes another.
12 KiB
12 KiB