Skip to content

fix(auth): revocable access tokens + rate limiting + auth on oauth introspect/revoke (C3/H3/M4/OM1)#61

Open
PenguinzTech wants to merge 1 commit into
fix/tenant-team-isolationfrom
fix/token-revocation-ratelimit
Open

fix(auth): revocable access tokens + rate limiting + auth on oauth introspect/revoke (C3/H3/M4/OM1)#61
PenguinzTech wants to merge 1 commit into
fix/tenant-team-isolationfrom
fix/token-revocation-ratelimit

Conversation

@PenguinzTech

Copy link
Copy Markdown
Contributor

Security fixes (Track A4)

Stacked on #58 (base = fix/tenant-team-isolation). Targets release/v0.1.x.

  • C3 (CRITICAL) — access tokens now carry a jti; a revoked_access_tokens blocklist is checked in auth_required, so /logout and /oauth/revoke actually invalidate the current access token (previously only refresh tokens were revoked). Blocklist self-prunes on expiry.
  • H3/M4 (HIGH) — real rate limiter (app/rate_limiter.py): Redis-backed when REDIS_ENABLED else in-memory, respects RATE_LIMIT_ENABLED. Applied to /auth/login, /auth/register, /oauth/token; returns 429.
  • OM1 (MED)/oauth/introspect and /oauth/revoke now require authentication; introspect returns active:false for revoked tokens or deactivated users.

Uses the existing redis==5.2.0 dep; requirements recompiled with uv (house-preferred).

Tests

Revocation, 429 rate-limit, oauth-security + comprehensive rate_limiter tests. Suite: 441 passed, 1 skipped, 90.82% coverage.

🤖 Generated with Claude Code

…uth introspect/revoke (C3/H3/M4/OM1)

- C3: access tokens now carry a jti; a revoked_access_tokens blocklist is checked in
  auth_required, so /logout and /oauth/revoke actually invalidate the current access
  token (previously only refresh tokens were revoked). Blocklist self-prunes on expiry.
- H3/M4: real rate limiter (app/rate_limiter.py) — Redis-backed when REDIS_ENABLED else
  in-memory, respects RATE_LIMIT_ENABLED. Applied to /auth/login, /auth/register,
  /oauth/token; returns 429 on limit.
- OM1: /oauth/introspect and /oauth/revoke now require authentication; introspect
  returns active:false for revoked tokens or deactivated (is_active=false) users.

Tests: revocation, rate-limit 429, oauth-security + comprehensive rate_limiter tests.
Suite: 441 passed, 1 skipped, 90.82% coverage.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@PenguinzTech PenguinzTech added this to the v0.1.x milestone Jul 14, 2026
@PenguinzTech PenguinzTech added the type:security Security fix label Jul 14, 2026

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry @PenguinzTech, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

type:security Security fix

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant