From d2f0a18f420c75f8572c474f72fc133cf046b10b Mon Sep 17 00:00:00 2001 From: Hz_ Date: Fri, 29 May 2026 19:31:45 +0800 Subject: [PATCH] fix: persist logout access token invalidation (#15397) ### What this PR fixes This PR fixes an issue in the Python backend where user logout did not reliably persist the invalidated access_token to the database. Although the logout endpoint returned success and logged that the token had been invalidated, the user.access_token value could remain unchanged in the database, which meant the previous login token could stay valid longer than expected. ### What changed - Resolve the real user object before updating the token - Persist the invalidated access_token before calling logout_user() - Return a server error if the token update is not written successfully ### Impact - Logging out now correctly replaces the stored access_token with an INVALID_... value - The previous login session is properly invalidated - The change is limited to the logout flow and is intentionally small in scope --- api/apps/restful_apis/user_api.py | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/api/apps/restful_apis/user_api.py b/api/apps/restful_apis/user_api.py index 8362e329dd..b5aedf3d6e 100644 --- a/api/apps/restful_apis/user_api.py +++ b/api/apps/restful_apis/user_api.py @@ -288,9 +288,13 @@ async def log_out(): schema: type: object """ - user_id = current_user.id - current_user.access_token = f"INVALID_{secrets.token_hex(16)}" - current_user.save() + user = current_user._get_current_object() if hasattr(current_user, "_get_current_object") else current_user + user_id = user.id + user.access_token = f"INVALID_{secrets.token_hex(16)}" + saved = user.save() + if saved == 0: + logging.error("Logout failed to persist access token update: user_id=%s", user_id) + return get_json_result(code=RetCode.SERVER_ERROR, data=False, message="Failed to update access token") logout_user() logging.info("Logout: user_id=%s, access_token invalidated", user_id) return get_json_result(data=True)