Promptly-Technologies-LLC
diff --git a/‎pyproject.toml‎
Lines changed: 1 addition & 1 deletion b/‎pyproject.toml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎routers/core/account.py‎
Lines changed: 61 additions & 7 deletions b/‎routers/core/account.py‎
Lines changed: 61 additions & 7 deletions
diff --git a/‎templates/users/profile.html‎
Lines changed: 1 addition & 1 deletion b/‎templates/users/profile.html‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/conftest.py‎
Lines changed: 23 additions & 17 deletions b/‎tests/conftest.py‎
Lines changed: 23 additions & 17 deletions
@@ -1,6 +1,6 @@
 [project]
 name = "fastapi-jinja2-postgres-webapp"
-version = "0.1.14"
+version = "0.1.15"
 description = "A template webapp with a pure-Python FastAPI backend, frontend templating with Jinja2, and a Postgres database to power user auth"
 readme = "README.md"
 package-mode = false
 
@@ -10,14 +10,16 @@
 from sqlmodel import Session, select
 from utils.core.models import User, DataIntegrityError, Account, Invitation
 from utils.core.dependencies import get_session
+from utils.core.models import RefreshToken
 from utils.core.auth import (
     HTML_PASSWORD_PATTERN,
     COMPILED_PASSWORD_PATTERN,
     COOKIE_SECURE,
     oauth2_scheme_cookie,
     get_password_hash,
     create_access_token,
-    create_refresh_token,
+    create_tracked_refresh_token,
+    revoke_all_refresh_tokens,
     validate_token,
     send_reset_email_task,
     send_email_update_confirmation
@@ -99,13 +101,28 @@ def validate_password_strength_and_match(
 
 
 @router.get("/logout", response_class=RedirectResponse)
-def logout():
+def logout(
+    tokens: tuple[Optional[str], Optional[str]] = Depends(oauth2_scheme_cookie),
+    session: Session = Depends(get_session),
+):
     """
-    Log out a user by clearing their cookies.
+    Log out a user by revoking their refresh token and clearing cookies.
     """
     response = RedirectResponse(url="/", status_code=303)
     response.delete_cookie("access_token")
     response.delete_cookie("refresh_token")
+
+    _, refresh_token_value = tokens
+    if refresh_token_value:
+        decoded = validate_token(refresh_token_value, token_type="refresh")
+        if decoded and decoded.get("jti"):
+            db_token = session.exec(
+                select(RefreshToken).where(RefreshToken.jti == decoded["jti"])
+            ).first()
+            if db_token:
+                db_token.revoked = True
+                session.commit()
+
     return response
 
 
@@ -303,7 +320,8 @@ async def register(
 
     # Create access token using the committed account's email
     access_token = create_access_token(data={"sub": account.email, "fresh": True})
-    refresh_token = create_refresh_token(data={"sub": account.email})
+    refresh_token = create_tracked_refresh_token(account.id, account.email, session)
+    session.commit()
 
     # Set cookie — use HX-Redirect for HTMX, 303 for regular form submissions
     if is_htmx_request(request):
@@ -404,7 +422,8 @@ async def login(
     access_token = create_access_token(
         data={"sub": account.email, "fresh": True}
     )
-    refresh_token = create_refresh_token(data={"sub": account.email})
+    refresh_token = create_tracked_refresh_token(account.id, account.email, session)
+    session.commit()
 
     # Set cookie — use HX-Redirect for HTMX, 303 for regular form submissions
     if is_htmx_request(request):
@@ -450,16 +469,47 @@ async def refresh_token(
         response.delete_cookie("refresh_token")
         return response
 
+    # Validate JTI server-side
+    jti = decoded_token.get("jti")
+    if not jti:
+        response = RedirectResponse(url=router.url_path_for("read_login"), status_code=303)
+        response.delete_cookie("access_token")
+        response.delete_cookie("refresh_token")
+        return response
+
     user_email = decoded_token.get("sub")
     account = session.exec(select(Account).where(
         Account.email == user_email)).one_or_none()
     if not account:
         return RedirectResponse(url=router.url_path_for("read_login"), status_code=303)
 
+    db_token = session.exec(
+        select(RefreshToken).where(RefreshToken.jti == jti)
+    ).first()
+
+    if not db_token or db_token.account_id != account.id:
+        return RedirectResponse(url=router.url_path_for("read_login"), status_code=303)
+
+    if db_token.revoked:
+        # Token reuse detected — revoke all tokens for this account
+        logger.warning(
+            f"Refresh token reuse detected for account {account.id} on /refresh endpoint. "
+            "Revoking all refresh tokens."
+        )
+        revoke_all_refresh_tokens(account.id, session)
+        session.commit()
+        response = RedirectResponse(url=router.url_path_for("read_login"), status_code=303)
+        response.delete_cookie("access_token")
+        response.delete_cookie("refresh_token")
+        return response
+
+    # Revoke current token and issue new ones
+    db_token.revoked = True
     new_access_token = create_access_token(
         data={"sub": account.email, "fresh": False}
     )
-    new_refresh_token = create_refresh_token(data={"sub": account.email})
+    new_refresh_token = create_tracked_refresh_token(account.id, account.email, session)
+    session.commit()
 
     response = RedirectResponse(url=dashboard_router.url_path_for("read_dashboard"), status_code=303)
     response.set_cookie(
@@ -616,11 +666,15 @@ async def confirm_email_update(
 
     account.email = new_email
     update_token.used = True
+
+    # Revoke all existing refresh tokens since the email changed
+    revoke_all_refresh_tokens(account.id, session)
     session.commit()
 
     # Create new tokens with the updated email
     access_token = create_access_token(data={"sub": new_email, "fresh": True})
-    refresh_token = create_refresh_token(data={"sub": new_email})
+    refresh_token = create_tracked_refresh_token(account.id, new_email, session)
+    session.commit()
 
     profile_path: URLPath = user_router.url_path_for("read_profile")
     response = RedirectResponse(url=str(profile_path), status_code=303)
 
@@ -76,7 +76,7 @@ <h1 class="mb-4">User Profile</h1>
                     <label for="new_email" class="form-label">New Email Address</label>
                     <input type="email" class="form-control" id="new_email" name="new_email" placeholder="newemail@example.com">
                 </div>
-                <p class="form-text">A confirmation link will be sent to your new email address to verify the change.</p>
+                <p class="form-text">A confirmation link will be sent to your current email address to verify the change.</p>
                 <button type="submit" class="btn btn-primary">Update Email</button>
             </form>
         </div>
 
@@ -6,7 +6,7 @@
 from dotenv import load_dotenv
 from utils.core.db import get_connection_url, tear_down_db, set_up_db, create_default_roles, ensure_database_exists
 from utils.core.models import User, Organization, Role, Account, Invitation
-from utils.core.auth import get_password_hash, create_access_token, create_refresh_token
+from utils.core.auth import get_password_hash, create_access_token, create_tracked_refresh_token
 from main import app
 from datetime import datetime, UTC, timedelta
 
@@ -115,7 +115,8 @@ def auth_client(session: Session, test_account: Account, test_user: User) -> Gen
 
     # Create and set valid tokens
     access_token = create_access_token({"sub": test_account.email})
-    refresh_token = create_refresh_token({"sub": test_account.email})
+    refresh_token = create_tracked_refresh_token(test_account.id, test_account.email, session)
+    session.commit()
 
     client.cookies.set("access_token", access_token)
     client.cookies.set("refresh_token", refresh_token)
@@ -284,11 +285,12 @@ def auth_client_owner(session: Session, org_owner: User) -> Generator[TestClient
     # Create and set valid tokens
     if org_owner.account:
         access_token = create_access_token({"sub": org_owner.account.email})
-        refresh_token = create_refresh_token({"sub": org_owner.account.email})
-        
+        refresh_token = create_tracked_refresh_token(org_owner.account.id, org_owner.account.email, session)
+        session.commit()
+
     client.cookies.set("access_token", access_token)
     client.cookies.set("refresh_token", refresh_token)
-    
+
     yield client
 
 
@@ -304,11 +306,12 @@ def auth_client_admin(session: Session, org_admin_user: User) -> Generator[TestC
     # Create and set valid tokens
     if org_admin_user.account:
         access_token = create_access_token({"sub": org_admin_user.account.email})
-        refresh_token = create_refresh_token({"sub": org_admin_user.account.email})
-        
+        refresh_token = create_tracked_refresh_token(org_admin_user.account.id, org_admin_user.account.email, session)
+        session.commit()
+
     client.cookies.set("access_token", access_token)
     client.cookies.set("refresh_token", refresh_token)
-    
+
     yield client
 
 
@@ -324,11 +327,12 @@ def auth_client_member(session: Session, org_member_user: User) -> Generator[Tes
     # Create and set valid tokens
     if org_member_user.account:
         access_token = create_access_token({"sub": org_member_user.account.email})
-        refresh_token = create_refresh_token({"sub": org_member_user.account.email})
-        
+        refresh_token = create_tracked_refresh_token(org_member_user.account.id, org_member_user.account.email, session)
+        session.commit()
+
     client.cookies.set("access_token", access_token)
     client.cookies.set("refresh_token", refresh_token)
-    
+
     yield client
 
 
@@ -344,11 +348,12 @@ def auth_client_non_member(session: Session, non_member_user: User) -> Generator
     # Create and set valid tokens
     if non_member_user.account:
         access_token = create_access_token({"sub": non_member_user.account.email})
-        refresh_token = create_refresh_token({"sub": non_member_user.account.email})
-        
+        refresh_token = create_tracked_refresh_token(non_member_user.account.id, non_member_user.account.email, session)
+        session.commit()
+
     client.cookies.set("access_token", access_token)
     client.cookies.set("refresh_token", refresh_token)
-    
+
     yield client
 
 
@@ -478,11 +483,12 @@ def auth_client_invitee(session: Session, existing_invitee_user: User) -> Genera
     # Create and set valid tokens
     if existing_invitee_user.account:
         access_token = create_access_token({"sub": existing_invitee_user.account.email})
-        refresh_token = create_refresh_token({"sub": existing_invitee_user.account.email})
-        
+        refresh_token = create_tracked_refresh_token(existing_invitee_user.account.id, existing_invitee_user.account.email, session)
+        session.commit()
+
     client.cookies.set("access_token", access_token)
     client.cookies.set("refresh_token", refresh_token)
-    
+
     yield client
 
 # --- Email Mocking Fixtures ---