fix(auth): Token 验证和撤销添加租户隔离

2026-05-06 10:21:07 +08:00
parent 51c41acfa7
commit a78ee2f154
2 changed files with 5 additions and 2 deletions
--- a/crates/erp-auth/src/service/auth_service.rs
+++ b/crates/erp-auth/src/service/auth_service.rs
@@ -195,7 +195,7 @@ impl AuthService {
            TokenService::validate_refresh_token(refresh_token_str, db, jwt.secret).await?;

        // Revoke the old token (rotation)
-        TokenService::revoke_token(old_token_id, db).await?;
+        TokenService::revoke_token(old_token_id, claims.sub, db).await?;

        // Fetch fresh roles and permissions
        let roles: Vec<String> = TokenService::get_user_roles(claims.sub, claims.tid, db).await?;
--- a/crates/erp-auth/src/service/token_service.rs
+++ b/crates/erp-auth/src/service/token_service.rs
@@ -131,6 +131,7 @@ impl TokenService {
        let hash = sha256_hex(token);
        let token_row = user_token::Entity::find()
            .filter(user_token::Column::TokenHash.eq(hash))
+            .filter(user_token::Column::TenantId.eq(claims.tid))
            .filter(user_token::Column::RevokedAt.is_null())
            .one(db)
            .await
@@ -151,8 +152,10 @@ impl TokenService {
    }

    /// Revoke a specific refresh token by database ID.
-    pub async fn revoke_token(token_id: Uuid, db: &DatabaseConnection) -> AuthResult<()> {
+    /// Verifies that the token belongs to the specified user for security.
+    pub async fn revoke_token(token_id: Uuid, user_id: Uuid, db: &DatabaseConnection) -> AuthResult<()> {
        let token_row = user_token::Entity::find_by_id(token_id)
+            .filter(user_token::Column::UserId.eq(user_id))
            .one(db)
            .await
            .map_err(|e| AuthError::Validation(e.to_string()))?