fischer-agentkit/tests/integration/auth
chiguyong 698a8fafba fix(review): U7 refresh token hash verification on whoami
The whoami route accepted rotated/old refresh tokens for cold-start
because it only checked session revocation status, not the token hash.
Now when token_type == "refresh", the route computes hash_token(token)
and compares it with the session's stored refresh_token_hash using
hmac.compare_digest (constant-time). Mismatch returns 401.

- Add SessionService.get_stored_refresh_hash(session_id) helper
- Add hash verification in whoami route (R9)
- Add TestWhoamiTokenHash with 5 integration tests
2026-06-22 16:55:20 +08:00
..
__init__.py feat(auth): U3/U4/U9 logout-others + whoami cold-start + admin UI + integration tests 2026-06-21 09:08:34 +08:00
test_admin_routes.py fix(auth,chat): P0 security fixes + stop-generation button + doc sync 2026-06-21 11:36:58 +08:00
test_auth_routes.py fix(review): U7 refresh token hash verification on whoami 2026-06-22 16:55:20 +08:00