The whoami route accepted rotated/old refresh tokens for cold-start because it only checked session revocation status, not the token hash. Now when token_type == "refresh", the route computes hash_token(token) and compares it with the session's stored refresh_token_hash using hmac.compare_digest (constant-time). Mismatch returns 401. - Add SessionService.get_stored_refresh_hash(session_id) helper - Add hash verification in whoami route (R9) - Add TestWhoamiTokenHash with 5 integration tests |
||
|---|---|---|
| .. | ||
| __init__.py | ||
| test_admin_routes.py | ||
| test_auth_routes.py | ||