mirror of
https://github.com/DeBrosOfficial/orama.git
synced 2026-06-17 08:24:12 +00:00
33600092a8
A lost rotation response strands the client on a just-revoked token: the retry hits res.Count==0 → genuine 401 → SIWE, which is impossible on a VoIP-woken locked screen, so the call dies. This recurred under the reconnect storms from today's gateway rolls. Add an RFC 9700 §4.13.2 reuse grace: a refresh token revoked within 60s whose grace_used_at is still NULL is accepted ONCE more and mints a fresh session. The grace path skips the revoke CAS (the token is already revoked — the CAS would 0-match and mis-fire the replay tripwire) and is locked instead by a single-use CAS on grace_used_at, so a stolen token can't be replayed at leisure. The window predicate is repeated on the CAS to close the SELECT→UPDATE TOCTOU, and the grace SELECT excludes expired tokens. Security (found + fixed in review): explicit revocation (RevokeToken / /v1/auth/logout) now also stamps grace_used_at, so a deliberately-logged-out token can never be grace-recovered — closes a logout-bypass where a just- revoked token would otherwise be resurrectable for 60s. Transient rqlite errors on the grace lookup/CAS surface as 503 (retryable), not 401, preserving the #125 transient-vs-genuine distinction. Migration 032 adds grace_used_at (additive ALTER, rolling-safe; NULL = grace available, the window predicate keeps historically-revoked tokens ineligible). Dual-reviewed: code-quality APPROVED; security SECURE after the logout-bypass fix. Tests: lost-response recovery, single-use second-attempt 401, genuine bad token 401, and the logout-bypass regression.