fix(auth): Token 验证和撤销添加租户隔离

crates/erp-auth/src/service/token_service.rs

@@ -131,6 +131,7 @@ impl TokenService {
         let hash = sha256_hex(token);
         let token_row = user_token::Entity::find()
             .filter(user_token::Column::TokenHash.eq(hash))
+            .filter(user_token::Column::TenantId.eq(claims.tid))
             .filter(user_token::Column::RevokedAt.is_null())
             .one(db)
             .await
@@ -151,8 +152,10 @@ impl TokenService {
     }
 
     /// Revoke a specific refresh token by database ID.
-    pub async fn revoke_token(token_id: Uuid, db: &DatabaseConnection) -> AuthResult<()> {
+    /// Verifies that the token belongs to the specified user for security.
+    pub async fn revoke_token(token_id: Uuid, user_id: Uuid, db: &DatabaseConnection) -> AuthResult<()> {
         let token_row = user_token::Entity::find_by_id(token_id)
+            .filter(user_token::Column::UserId.eq(user_id))
             .one(db)
             .await
             .map_err(|e| AuthError::Validation(e.to_string()))?