Add session revocation & consolidate rate limiting

Add sessions_invalidated_at to users (migration + Prisma schema) to support immediate session revocation. Set sessionsInvalidatedAt when an admin revokes a user's login token and enforce revocation checks in auth middleware and the refresh endpoint (compare token iat against sessionsInvalidatedAt). Add optional iat fields to JWT payload types. Scrub token from browser history after token-login. Consolidate rate-limiting logic into src/lib/utils/rateLimit.ts (rename/merge previous auth/apiToken rate limiter implementations), remove the old apiTokenRateLimit.ts, and update imports and tests to use the new module.
2026-06-03 04:40:09 +00:00 · 2026-03-13 12:41:07 -04:00
parent c8bfcdb611
commit 4322c3af90
17 changed files with 68 additions and 105 deletions
@@ -7,7 +7,7 @@ import { NextRequest, NextResponse } from 'next/server';
 import { requireAuth, requireAdmin, AuthenticatedRequest } from '@/lib/middleware/auth';
 import { prisma } from '@/lib/db';
 import { RMABLogger } from '@/lib/utils/logger';
-import { checkApiTokenRevokeRateLimit } from '@/lib/utils/apiTokenRateLimit';
+import { checkApiTokenRevokeRateLimit } from '@/lib/utils/rateLimit';

 const logger = RMABLogger.create('API.Admin.ApiTokens');

@@ -7,7 +7,7 @@ import { NextRequest, NextResponse } from 'next/server';
 import { requireAuth, requireAdmin, AuthenticatedRequest } from '@/lib/middleware/auth';
 import { prisma } from '@/lib/db';
 import { RMABLogger } from '@/lib/utils/logger';
-import { checkApiTokenCreateRateLimit } from '@/lib/utils/apiTokenRateLimit';
+import { checkApiTokenCreateRateLimit } from '@/lib/utils/rateLimit';
 import { MAX_TOKENS_PER_USER } from '@/lib/constants/api-tokens';
 import { generateApiToken } from '@/lib/utils/api-token';
 import { z } from 'zod';
@@ -79,7 +79,7 @@ export async function DELETE(

        await prisma.user.update({
          where: { id },
-          data: { loginTokenHash: null },
+          data: { loginTokenHash: null, sessionsInvalidatedAt: new Date() },
        });

        logger.info('Admin revoked login token for user', {
@@ -45,9 +45,17 @@ export async function POST(request: NextRequest) {
    // Get user from database
    const user = await prisma.user.findUnique({
      where: { id: payload.sub },
+      select: {
+        id: true,
+        plexId: true,
+        plexUsername: true,
+        role: true,
+        deletedAt: true,
+        sessionsInvalidatedAt: true,
+      },
    });

-    if (!user) {
+    if (!user || user.deletedAt) {
      return NextResponse.json(
        {
          error: 'Unauthorized',
@@ -57,6 +65,19 @@ export async function POST(request: NextRequest) {
      );
    }

+    // Check if session was invalidated after this refresh token was issued
+    if (user.sessionsInvalidatedAt && payload.iat &&
+        payload.iat < Math.floor(user.sessionsInvalidatedAt.getTime() / 1000)) {
+      logger.warn('Refresh token issued before session invalidation', { userId: payload.sub });
+      return NextResponse.json(
+        {
+          error: 'Unauthorized',
+          message: 'Session has been revoked',
+        },
+        { status: 401 }
+      );
+    }
+
    // Generate new access token
    const accessToken = generateAccessToken({
      sub: user.id,
@@ -7,7 +7,7 @@ import { NextRequest, NextResponse } from 'next/server';
 import { prisma } from '@/lib/db';
 import { generateAccessToken, generateRefreshToken } from '@/lib/utils/jwt';
 import { RMABLogger } from '@/lib/utils/logger';
-import { checkTokenLoginRateLimit } from '@/lib/utils/authRateLimit';
+import { checkTokenLoginRateLimit } from '@/lib/utils/rateLimit';
 import crypto from 'crypto';

 const logger = RMABLogger.create('API.Auth.TokenLogin');
@@ -7,7 +7,7 @@ import { NextRequest, NextResponse } from 'next/server';
 import { requireAuth, AuthenticatedRequest } from '@/lib/middleware/auth';
 import { prisma } from '@/lib/db';
 import { RMABLogger } from '@/lib/utils/logger';
-import { checkApiTokenRevokeRateLimit } from '@/lib/utils/apiTokenRateLimit';
+import { checkApiTokenRevokeRateLimit } from '@/lib/utils/rateLimit';

 const logger = RMABLogger.create('API.User.ApiTokens');

@@ -7,7 +7,7 @@ import { NextRequest, NextResponse } from 'next/server';
 import { requireAuth, AuthenticatedRequest } from '@/lib/middleware/auth';
 import { prisma } from '@/lib/db';
 import { RMABLogger } from '@/lib/utils/logger';
-import { checkApiTokenCreateRateLimit } from '@/lib/utils/apiTokenRateLimit';
+import { checkApiTokenCreateRateLimit } from '@/lib/utils/rateLimit';
 import { MAX_TOKENS_PER_USER } from '@/lib/constants/api-tokens';
 import { generateApiToken } from '@/lib/utils/api-token';
 import { z } from 'zod';
@@ -22,6 +22,9 @@ function TokenLoginContent() {
      return;
    }

+    // Scrub token from browser URL/history immediately after extraction
+    window.history.replaceState({}, '', '/auth/token/login');
+
    fetch('/api/auth/token/login', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },