2e1261c4be
* fix: invalidate session on fatal OAuth2 refresh errors When a token refresh fails with a fatal OAuth2 error (invalid_grant, invalid_client), the session is now cleared from the session store and the cookie is removed, forcing re-authentication. Previously, fatal refresh errors were logged but the stale session continued to be served, leaving users logged in indefinitely after their session was revoked at the provider level. Transient errors (network timeouts, server errors) continue to preserve the existing session as before. Fixes #1945 Signed-off-by: Francesco Pasqualini <frapas@gmail.com> * fix: apply review nits and add CHANGELOG entry Signed-off-by: Francesco Pasqualini <frapas@gmail.com> Signed-off-by: Jan Larwig <jan@larwig.com> --------- Signed-off-by: Francesco Pasqualini <frapas@gmail.com> Signed-off-by: Jan Larwig <jan@larwig.com> |
||
|---|---|---|
| .. | ||
| apis | ||
| app | ||
| authentication | ||
| cookies | ||
| encryption | ||
| header | ||
| ip | ||
| logger | ||
| middleware | ||
| providers | ||
| proxyhttp | ||
| requests | ||
| sessions | ||
| upstream | ||
| util | ||
| validation | ||
| version | ||
| watcher | ||