malpercio.dev / ezpds
An easy-to-host PDS on the ATProtocol, iPhone and MacOS. Maintain control of your keys and data, always.
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: implement POST /xrpc/com.atproto.server.deleteSession #38

open opened by
malpercio.dev targeting main from malpercio/mm-140-xrpc-comatprotoserverdeletesession

Summary#

  • Adds POST /xrpc/com.atproto.server.deleteSession — revokes a session by atomically deleting all associated refresh tokens and the session row
  • Adds verify_refresh_token_allow_expired to auth/jwt.rs — validates HS256 signature but skips expiry check, matching ATProto's allowExpired: true semantics so users can always log out
  • Idempotent: already-revoked tokens return 200 OK

Test plan#

  • valid_refresh_token_returns_200 — happy path revocation returns 200
  • revocation_deletes_session_and_refresh_tokens — DB rows are removed atomically
  • revoked_refresh_token_cannot_be_used_for_refresh — revoked token rejected by refreshSession
  • expired_token_with_valid_db_row_is_revoked — expired JWT still revokes the session
  • already_revoked_token_returns_200 — idempotent second call returns 200
  • access_token_rejected — access JWT rejected with 401 INVALID_TOKEN
  • invalid_token_signature_returns_401 — forged JWT rejected
  • missing_authorization_header_returns_401 — missing auth returns 401
  • expired_token_not_in_db_returns_200 — expired token with no DB row returns idempotent 200
Labels

None yet.

assignee

None yet.

Participants 1
AT URI
at://did:web:malpercio.dev/sh.tangled.repo.pull/3mhvyh6dvae22
Diff #0

No differences found between the selected revisions.

History

1 round 0 comments
sign up or login to add to the discussion
malpercio.dev submitted #0
patch application failed: error: No valid patches in input (allow with "--allow-empty")
expand 0 comments