feat(auth,prompt-rule): add password change with session revocation and scope prompt rules by brand
Add self-service password change that re-hashes the credential and bumps a per-user session version so all existing access/refresh tokens are rejected. Session version is tracked in Redis with an in-memory fallback and enforced in middleware and refresh. Scope prompt rules and rule groups to a brand: new brand_id column (migrated to a "未归属" fallback brand for existing rows), brand-filtered queries/indexes, and brand-aware admin-web tabs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -75,6 +75,17 @@ func Middleware(jwtMgr *Manager, sessions *SessionStore) gin.HandlerFunc {
|
||||
return
|
||||
}
|
||||
|
||||
currentVersion, _ := sessions.SessionVersion(c.Request.Context(), claims.UserID)
|
||||
if claims.SessionVersion < currentVersion {
|
||||
updateRequestLogContext(c, func(meta *RequestLogContext) {
|
||||
meta.FailureStage = "check_session_version"
|
||||
meta.FailureReason = "session_version_stale"
|
||||
})
|
||||
response.Error(c, response.ErrUnauthorized(40103, "token_revoked", "token has been revoked"))
|
||||
c.Abort()
|
||||
return
|
||||
}
|
||||
|
||||
revoked, _ := sessions.IsBlacklisted(c.Request.Context(), claims.ID)
|
||||
if revoked {
|
||||
updateRequestLogContext(c, func(meta *RequestLogContext) {
|
||||
|
||||
Reference in New Issue
Block a user