feat(auth): move JWT blacklist to Redis with TTL [FASE-0.2]

Revoke tokens by jti in a dedicated Redis DB, honor TTL from JWT exp on logout, reject revoked tokens in get_current_user, and add FakeRedis-backed API tests.
2026-05-18 13:19:15 +02:00
parent 9b70655b7e
commit c5eb6f6dc1
5 changed files with 104 additions and 13 deletions
--- a/backend/app/dependencies/auth.py
+++ b/backend/app/dependencies/auth.py
@@ -15,7 +15,7 @@ from fastapi.security import OAuth2PasswordBearer
 from jose import JWTError, jwt
 from sqlalchemy.orm import Session

-from app.auth import is_token_blacklisted
+from app import auth as auth_lib
 from app.config import settings
 from app.database import get_db
 from app.models.user import User
@@ -57,6 +57,11 @@ async def get_current_user(
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )
+    revoked_exception = HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Token has been revoked",
+        headers={"WWW-Authenticate": "Bearer"},
+    )

    # Prefer cookie, fall back to header
    token = aegis_token or bearer_token
@@ -74,8 +79,8 @@ async def get_current_user(
            raise credentials_exception
        # Check token blacklist (revoked tokens)
        jti: str | None = payload.get("jti")
-        if jti and is_token_blacklisted(jti):
-            raise credentials_exception
+        if jti and auth_lib.is_token_blacklisted(jti):
+            raise revoked_exception
    except JWTError:
        raise credentials_exception