Update the refresh token verify mechanism (#710)

wu-clan · web-flow · commit 099880dd1cb6 · 2025-07-02T18:08:28.000+08:00
* Remove the logout interface auth dependency

* Update the refresh token check
diff --git a/backend/app/admin/api/v1/auth/auth.py b/backend/app/admin/api/v1/auth/auth.py
@@ -47,7 +47,7 @@ async def refresh_token(request: Request) -> ResponseSchemaModel[GetNewToken]:
     return response_base.success(data=data)
 
 
-@router.post('/logout', summary='用户登出', dependencies=[DependsJwtAuth])
+@router.post('/logout', summary='用户登出')
 async def logout(request: Request, response: Response) -> ResponseModel:
     await auth_service.logout(request=request, response=response)
     return response_base.success()
diff --git a/backend/app/admin/service/auth_service.py b/backend/app/admin/service/auth_service.py
@@ -197,14 +197,17 @@ async def refresh_token(*, request: Request) -> GetNewToken:
         """
         refresh_token = request.cookies.get(settings.COOKIE_REFRESH_TOKEN_KEY)
         if not refresh_token:
-            raise errors.TokenError(msg='Refresh Token 已过期，请重新登录')
+            raise errors.RequestError(msg='Refresh Token 已过期，请重新登录')
         token_payload = jwt_decode(refresh_token)
         async with async_db_session() as db:
             user = await user_dao.get(db, token_payload.id)
             if not user:
                 raise errors.NotFoundError(msg='用户不存在')
             elif not user.status:
                 raise errors.AuthorizationError(msg='用户已被锁定, 请联系统管理员')
+            if not user.is_multi_login:
+                if await redis_client.keys(match=f'{settings.TOKEN_REDIS_PREFIX}:{user.id}:*'):
+                    raise errors.ForbiddenError(msg='此用户已在异地登录，请重新登录并及时修改密码')
             new_token = await create_new_token(
                 refresh_token,
                 token_payload.session_uuid,
