Update the refresh token verify mechanism (#710)

* Remove the logout interface auth dependency * Update the refresh token check
2025-08-26 12:59:44 +08:00 · 2025-07-02 18:08:28 +08:00
parent d906a103af
commit 099880dd1c
2 changed files with 5 additions and 2 deletions
--- a/backend/app/admin/api/v1/auth/auth.py
+++ b/backend/app/admin/api/v1/auth/auth.py
@ -47,7 +47,7 @@ async def refresh_token(request: Request) -> ResponseSchemaModel[GetNewToken]:
    return response_base.success(data=data)


-@router.post('/logout', summary='用户登出', dependencies=[DependsJwtAuth])
+@router.post('/logout', summary='用户登出')
 async def logout(request: Request, response: Response) -> ResponseModel:
    await auth_service.logout(request=request, response=response)
    return response_base.success()
--- a/backend/app/admin/service/auth_service.py
+++ b/backend/app/admin/service/auth_service.py
@ -197,7 +197,7 @@ class AuthService:
        """
        refresh_token = request.cookies.get(settings.COOKIE_REFRESH_TOKEN_KEY)
        if not refresh_token:
-            raise errors.TokenError(msg='Refresh Token 已过期，请重新登录')
+            raise errors.RequestError(msg='Refresh Token 已过期，请重新登录')
        token_payload = jwt_decode(refresh_token)
        async with async_db_session() as db:
            user = await user_dao.get(db, token_payload.id)
@ -205,6 +205,9 @@ class AuthService:
                raise errors.NotFoundError(msg='用户不存在')
            elif not user.status:
                raise errors.AuthorizationError(msg='用户已被锁定, 请联系统管理员')
+            if not user.is_multi_login:
+                if await redis_client.keys(match=f'{settings.TOKEN_REDIS_PREFIX}:{user.id}:*'):
+                    raise errors.ForbiddenError(msg='此用户已在异地登录，请重新登录并及时修改密码')
            new_token = await create_new_token(
                refresh_token,
                token_payload.session_uuid,