feat(auth,prompt-rule): add password change with session revocation and scope prompt rules by brand
Add self-service password change that re-hashes the credential and bumps a per-user session version so all existing access/refresh tokens are rejected. Session version is tracked in Redis with an in-memory fallback and enforced in middleware and refresh. Scope prompt rules and rule groups to a brand: new brand_id column (migrated to a "未归属" fallback brand for existing rows), brand-filtered queries/indexes, and brand-aware admin-web tabs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -85,3 +85,43 @@ func TestSessionStoreUsesMemoryFallbackWhenRedisUnavailable(t *testing.T) {
|
||||
require.NoError(t, err)
|
||||
assert.True(t, revoked)
|
||||
}
|
||||
|
||||
func TestSessionStoreBumpSessionVersion(t *testing.T) {
|
||||
mr := miniredis.RunT(t)
|
||||
client := goredis.NewClient(&goredis.Options{Addr: mr.Addr()})
|
||||
t.Cleanup(func() { _ = client.Close() })
|
||||
|
||||
store := NewSessionStore(client)
|
||||
ctx := context.Background()
|
||||
|
||||
version, err := store.SessionVersion(ctx, 42)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, int64(0), version)
|
||||
|
||||
version, err = store.BumpSessionVersion(ctx, 42)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, int64(1), version)
|
||||
|
||||
version, err = store.SessionVersion(ctx, 42)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, int64(1), version)
|
||||
}
|
||||
|
||||
func TestSessionStoreSessionVersionKeepsFallbackBumpWhenRedisLags(t *testing.T) {
|
||||
mr := miniredis.RunT(t)
|
||||
client := goredis.NewClient(&goredis.Options{Addr: mr.Addr()})
|
||||
t.Cleanup(func() { _ = client.Close() })
|
||||
|
||||
store := NewSessionStore(client)
|
||||
ctx := context.Background()
|
||||
|
||||
require.NoError(t, mr.Set(sessionVersionKey(42), "1"))
|
||||
store.fallback.set(sessionVersionKey(42), "3", sessionVersionFallbackTTL)
|
||||
|
||||
version, err := store.SessionVersion(ctx, 42)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, int64(3), version)
|
||||
stored, err := mr.Get(sessionVersionKey(42))
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, "3", stored)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user