sleepy/odysseus
1
0
Fork
You've already forked odysseus
 0
Code Issues 9 Pull requests 10 Projects Releases Packages Wiki Activity Actions

Revoke stale sessions after password change #649

Merged
alteixeira20 merged 2 commits from alteixeira20/harden-password-session-revocation into main 2026-06-01 20:15:35 +02:00
Conversation 1 Commits 2 Files changed 3 +175
alteixeira20 commented 2026-06-01 18:58:49 +02:00 (Migrated from github.com)
Copy link

Summary

Revokes other active browser sessions after a successful password change.

Changes

  • Add AuthManager.revoke_user_sessions(username, except_token=None).
  • Revoke other browser sessions for the same user after password change succeeds.
  • Preserve the current odysseus_session browser session.
  • Leave API-token behavior unchanged.
  • Add focused regression tests for session revocation and wrong-password behavior.

Motivation

If a user changes their password after suspecting stale or unwanted sessions, other browser sessions should not remain valid until expiry. This keeps password-change behavior safer while avoiding the UX surprise of logging out the current tab.

Validation

  • python3 -m py_compile core/auth.py routes/auth_routes.py tests/test_auth_session_revocation.py
  • python3 -m pytest tests/test_auth_session_revocation.py
  • git diff --check

Notes

Focused auth/session hardening only. API tokens are intentionally unchanged.

## Summary Revokes other active browser sessions after a successful password change. ## Changes - Add `AuthManager.revoke_user_sessions(username, except_token=None)`. - Revoke other browser sessions for the same user after password change succeeds. - Preserve the current `odysseus_session` browser session. - Leave API-token behavior unchanged. - Add focused regression tests for session revocation and wrong-password behavior. ## Motivation If a user changes their password after suspecting stale or unwanted sessions, other browser sessions should not remain valid until expiry. This keeps password-change behavior safer while avoiding the UX surprise of logging out the current tab. ## Validation - `python3 -m py_compile core/auth.py routes/auth_routes.py tests/test_auth_session_revocation.py` - `python3 -m pytest tests/test_auth_session_revocation.py` - `git diff --check` ## Notes Focused auth/session hardening only. API tokens are intentionally unchanged.
sleepy merged commit 2a78bc873b into main 2026-06-01 20:15:35 +02:00
sleepy commented 2026-06-01 20:15:36 +02:00
Owner
Copy link

Merged via squash. Session revocation on password change with audit logging. 7 tests pass covering preserve-current, revoke-all, and zero-session paths.

Merged via squash. Session revocation on password change with audit logging. 7 tests pass covering preserve-current, revoke-all, and zero-session paths.
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
area:chat

   
area:core

   
area:llm

   
area:routes

   
area:tools

   
bug
Something isn't working

  
documentation
Improvements or additions to documentation

  
duplicate
This issue or pull request already exists

  
enhancement
New feature or request

  
good first issue
Good for newcomers

  
help wanted
Extra attention is needed

  
invalid
This doesn't seem right

  
question
Further information is requested

  
refactor

   
wontfix
This will not be worked on

No labels
area:chat
area:core
area:llm
area:routes
area:tools
bug
documentation
duplicate
enhancement
good first issue
help wanted
invalid
question
refactor
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
sleepy/odysseus!649
No description provided.