willdot.net / at-container-registry
forked from evan.jarrett.net/at-container-registry
A container registry that uses the AT Protocol for manifest storage and S3 for blob storage.
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

invalidate sessions when scopes change

Evan Jarrett 08fb8abb ce7160cd

+580 -3
+10
cmd/appview/serve.go
··· 148 148 } 149 149 fmt.Println("Using full OAuth scopes (including blob: scope)") 150 150 151 + // Invalidate sessions with mismatched scopes on startup 152 + // This ensures all users have the latest required scopes after deployment 153 + desiredScopes := oauth.GetDefaultScopes(defaultHoldDID) 154 + invalidatedCount, err := oauthStore.InvalidateSessionsWithMismatchedScopes(context.Background(), desiredScopes) 155 + if err != nil { 156 + fmt.Printf("Warning: Failed to invalidate sessions with mismatched scopes: %v\n", err) 157 + } else if invalidatedCount > 0 { 158 + fmt.Printf("Invalidated %d OAuth session(s) due to scope changes\n", invalidatedCount) 159 + } 160 + 151 161 // Create oauth token refresher 152 162 refresher := oauth.NewRefresher(oauthApp) 153 163
+83
pkg/appview/db/oauth_store.go
··· 234 234 return nil 235 235 } 236 236 237 + // InvalidateSessionsWithMismatchedScopes removes all sessions whose scopes don't match the desired scopes 238 + // This is called on AppView startup to ensure all sessions have current scopes 239 + // Returns the count of invalidated sessions 240 + func (s *OAuthStore) InvalidateSessionsWithMismatchedScopes(ctx context.Context, desiredScopes []string) (int, error) { 241 + // Query all sessions 242 + rows, err := s.db.QueryContext(ctx, ` 243 + SELECT session_key, account_did, session_id, session_data 244 + FROM oauth_sessions 245 + `) 246 + if err != nil { 247 + return 0, fmt.Errorf("failed to query sessions: %w", err) 248 + } 249 + defer rows.Close() 250 + 251 + var sessionsToDelete []string 252 + for rows.Next() { 253 + var sessionKey, accountDID, sessionID, sessionDataJSON string 254 + if err := rows.Scan(&sessionKey, &accountDID, &sessionID, &sessionDataJSON); err != nil { 255 + fmt.Printf("WARNING [oauth/store]: Failed to scan session row: %v\n", err) 256 + continue 257 + } 258 + 259 + // Parse session data 260 + var sessionData oauth.ClientSessionData 261 + if err := json.Unmarshal([]byte(sessionDataJSON), &sessionData); err != nil { 262 + fmt.Printf("WARNING [oauth/store]: Failed to parse session data for %s: %v\n", sessionKey, err) 263 + // Delete malformed sessions 264 + sessionsToDelete = append(sessionsToDelete, sessionKey) 265 + continue 266 + } 267 + 268 + // Check if scopes match (need to import oauth package for ScopesMatch) 269 + // Since we're in db package, we can't import oauth (circular dependency) 270 + // So we'll implement a simple scope comparison here 271 + if !scopesMatch(sessionData.Scopes, desiredScopes) { 272 + sessionsToDelete = append(sessionsToDelete, sessionKey) 273 + } 274 + } 275 + 276 + if err := rows.Err(); err != nil { 277 + return 0, fmt.Errorf("error iterating sessions: %w", err) 278 + } 279 + 280 + // Delete sessions with mismatched scopes 281 + if len(sessionsToDelete) > 0 { 282 + for _, key := range sessionsToDelete { 283 + _, err := s.db.ExecContext(ctx, ` 284 + DELETE FROM oauth_sessions WHERE session_key = ? 285 + `, key) 286 + if err != nil { 287 + fmt.Printf("WARNING [oauth/store]: Failed to delete session %s: %v\n", key, err) 288 + } 289 + } 290 + fmt.Printf("Invalidated %d OAuth session(s) with mismatched scopes\n", len(sessionsToDelete)) 291 + } 292 + 293 + return len(sessionsToDelete), nil 294 + } 295 + 296 + // scopesMatch checks if two scope lists are equivalent (order-independent) 297 + // Local implementation to avoid circular dependency with oauth package 298 + func scopesMatch(stored, desired []string) bool { 299 + if len(stored) == 0 && len(desired) == 0 { 300 + return true 301 + } 302 + if len(stored) != len(desired) { 303 + return false 304 + } 305 + 306 + desiredMap := make(map[string]bool, len(desired)) 307 + for _, scope := range desired { 308 + desiredMap[scope] = true 309 + } 310 + 311 + for _, scope := range stored { 312 + if !desiredMap[scope] { 313 + return false 314 + } 315 + } 316 + 317 + return true 318 + } 319 + 237 320 // makeSessionKey creates a composite key for session storage 238 321 func makeSessionKey(did, sessionID string) string { 239 322 return fmt.Sprintf("%s:%s", did, sessionID)
+371
pkg/appview/db/oauth_store_test.go
··· 1 + package db 2 + 3 + import ( 4 + "context" 5 + "testing" 6 + "time" 7 + 8 + "github.com/bluesky-social/indigo/atproto/auth/oauth" 9 + "github.com/bluesky-social/indigo/atproto/syntax" 10 + ) 11 + 12 + func TestInvalidateSessionsWithMismatchedScopes(t *testing.T) { 13 + // Create in-memory test database 14 + db, err := InitDB(":memory:") 15 + if err != nil { 16 + t.Fatalf("Failed to init database: %v", err) 17 + } 18 + defer db.Close() 19 + 20 + store := NewOAuthStore(db) 21 + ctx := context.Background() 22 + 23 + // Test 1: Empty database - should return 0 24 + count, err := store.InvalidateSessionsWithMismatchedScopes(ctx, []string{"atproto", "blob:image/png"}) 25 + if err != nil { 26 + t.Fatalf("Expected no error with empty DB, got: %v", err) 27 + } 28 + if count != 0 { 29 + t.Errorf("Expected 0 invalidated sessions in empty DB, got %d", count) 30 + } 31 + 32 + // Helper to create session data 33 + createSession := func(did, sessionID string, scopes []string) oauth.ClientSessionData { 34 + parsedDID, _ := syntax.ParseDID(did) 35 + return oauth.ClientSessionData{ 36 + AccountDID: parsedDID, 37 + SessionID: sessionID, 38 + HostURL: "https://bsky.social", 39 + AuthServerURL: "https://bsky.social", 40 + AuthServerTokenEndpoint: "https://bsky.social/oauth/token", 41 + Scopes: scopes, 42 + AccessToken: "test_access_token", 43 + RefreshToken: "test_refresh_token", 44 + DPoPAuthServerNonce: "test_nonce", 45 + DPoPHostNonce: "test_host_nonce", 46 + DPoPPrivateKeyMultibase: "test_key", 47 + } 48 + } 49 + 50 + // Test 2: Session with matching scopes - should not be invalidated 51 + matchingSession := createSession("did:plc:test1", "session1", []string{"atproto", "blob:image/png"}) 52 + if err := store.SaveSession(ctx, matchingSession); err != nil { 53 + t.Fatalf("Failed to save matching session: %v", err) 54 + } 55 + 56 + count, err = store.InvalidateSessionsWithMismatchedScopes(ctx, []string{"atproto", "blob:image/png"}) 57 + if err != nil { 58 + t.Fatalf("Expected no error, got: %v", err) 59 + } 60 + if count != 0 { 61 + t.Errorf("Expected 0 invalidated sessions (all match), got %d", count) 62 + } 63 + 64 + // Verify session still exists 65 + retrieved, err := store.GetSession(ctx, matchingSession.AccountDID, matchingSession.SessionID) 66 + if err != nil { 67 + t.Errorf("Expected session to still exist, got error: %v", err) 68 + } 69 + if retrieved == nil { 70 + t.Error("Expected session to still exist, got nil") 71 + } 72 + 73 + // Test 3: Session with mismatched scopes (missing scope) - should be invalidated 74 + mismatchedSession := createSession("did:plc:test2", "session2", []string{"atproto"}) // Missing blob scope 75 + if err := store.SaveSession(ctx, mismatchedSession); err != nil { 76 + t.Fatalf("Failed to save mismatched session: %v", err) 77 + } 78 + 79 + count, err = store.InvalidateSessionsWithMismatchedScopes(ctx, []string{"atproto", "blob:image/png"}) 80 + if err != nil { 81 + t.Fatalf("Expected no error, got: %v", err) 82 + } 83 + if count != 1 { 84 + t.Errorf("Expected 1 invalidated session, got %d", count) 85 + } 86 + 87 + // Verify mismatched session was deleted 88 + retrieved, err = store.GetSession(ctx, mismatchedSession.AccountDID, mismatchedSession.SessionID) 89 + if err == nil { 90 + t.Error("Expected session to be deleted (should error), but got no error") 91 + } 92 + 93 + // Test 4: Session with extra scopes - should be invalidated 94 + extraScopeSession := createSession("did:plc:test3", "session3", []string{"atproto", "blob:image/png", "extra:scope"}) 95 + if err := store.SaveSession(ctx, extraScopeSession); err != nil { 96 + t.Fatalf("Failed to save extra scope session: %v", err) 97 + } 98 + 99 + count, err = store.InvalidateSessionsWithMismatchedScopes(ctx, []string{"atproto", "blob:image/png"}) 100 + if err != nil { 101 + t.Fatalf("Expected no error, got: %v", err) 102 + } 103 + if count != 1 { 104 + t.Errorf("Expected 1 invalidated session (extra scope), got %d", count) 105 + } 106 + 107 + // Test 5: Multiple sessions with mixed matches - only mismatch should be invalidated 108 + matching1 := createSession("did:plc:test4", "session4", []string{"atproto", "blob:image/png"}) 109 + matching2 := createSession("did:plc:test5", "session5", []string{"blob:image/png", "atproto"}) // Different order 110 + mismatched1 := createSession("did:plc:test6", "session6", []string{"atproto"}) 111 + mismatched2 := createSession("did:plc:test7", "session7", []string{"wrong", "scopes"}) 112 + 113 + for _, sess := range []oauth.ClientSessionData{matching1, matching2, mismatched1, mismatched2} { 114 + if err := store.SaveSession(ctx, sess); err != nil { 115 + t.Fatalf("Failed to save session: %v", err) 116 + } 117 + } 118 + 119 + count, err = store.InvalidateSessionsWithMismatchedScopes(ctx, []string{"atproto", "blob:image/png"}) 120 + if err != nil { 121 + t.Fatalf("Expected no error, got: %v", err) 122 + } 123 + if count != 2 { 124 + t.Errorf("Expected 2 invalidated sessions, got %d", count) 125 + } 126 + 127 + // Verify matching sessions still exist 128 + for _, sess := range []oauth.ClientSessionData{matching1, matching2} { 129 + retrieved, err := store.GetSession(ctx, sess.AccountDID, sess.SessionID) 130 + if err != nil { 131 + t.Errorf("Expected matching session %s to exist, got error: %v", sess.SessionID, err) 132 + } 133 + if retrieved == nil { 134 + t.Errorf("Expected matching session %s to exist, got nil", sess.SessionID) 135 + } 136 + } 137 + 138 + // Test 6: Malformed session data - should be deleted 139 + parsedDID, _ := syntax.ParseDID("did:plc:test8") 140 + _, err = db.ExecContext(ctx, ` 141 + INSERT INTO oauth_sessions (session_key, account_did, session_id, session_data, created_at, updated_at) 142 + VALUES (?, ?, ?, ?, datetime('now'), datetime('now')) 143 + `, makeSessionKey("did:plc:test8", "malformed"), "did:plc:test8", "malformed", "invalid json data") 144 + if err != nil { 145 + t.Fatalf("Failed to insert malformed session: %v", err) 146 + } 147 + 148 + count, err = store.InvalidateSessionsWithMismatchedScopes(ctx, []string{"atproto", "blob:image/png"}) 149 + if err != nil { 150 + t.Fatalf("Expected no error handling malformed data, got: %v", err) 151 + } 152 + if count != 1 { 153 + t.Errorf("Expected 1 invalidated session (malformed), got %d", count) 154 + } 155 + 156 + // Verify malformed session was deleted 157 + retrieved, err = store.GetSession(ctx, parsedDID, "malformed") 158 + if err == nil { 159 + t.Error("Expected malformed session to be deleted, but got no error") 160 + } 161 + } 162 + 163 + func TestScopesMatch(t *testing.T) { 164 + // Test the local scopesMatch function to ensure it matches the oauth.ScopesMatch behavior 165 + tests := []struct { 166 + name string 167 + stored []string 168 + desired []string 169 + expected bool 170 + }{ 171 + { 172 + name: "exact match", 173 + stored: []string{"atproto", "blob:image/png"}, 174 + desired: []string{"atproto", "blob:image/png"}, 175 + expected: true, 176 + }, 177 + { 178 + name: "different order", 179 + stored: []string{"blob:image/png", "atproto"}, 180 + desired: []string{"atproto", "blob:image/png"}, 181 + expected: true, 182 + }, 183 + { 184 + name: "missing scope", 185 + stored: []string{"atproto"}, 186 + desired: []string{"atproto", "blob:image/png"}, 187 + expected: false, 188 + }, 189 + { 190 + name: "extra scope", 191 + stored: []string{"atproto", "blob:image/png", "extra"}, 192 + desired: []string{"atproto", "blob:image/png"}, 193 + expected: false, 194 + }, 195 + { 196 + name: "both empty", 197 + stored: []string{}, 198 + desired: []string{}, 199 + expected: true, 200 + }, 201 + { 202 + name: "nil vs empty", 203 + stored: nil, 204 + desired: []string{}, 205 + expected: true, 206 + }, 207 + } 208 + 209 + for _, tt := range tests { 210 + t.Run(tt.name, func(t *testing.T) { 211 + result := scopesMatch(tt.stored, tt.desired) 212 + if result != tt.expected { 213 + t.Errorf("scopesMatch(%v, %v) = %v, want %v", 214 + tt.stored, tt.desired, result, tt.expected) 215 + } 216 + }) 217 + } 218 + } 219 + 220 + func TestOAuthStoreSessionLifecycle(t *testing.T) { 221 + // Basic test to ensure SaveSession, GetSession, DeleteSession work correctly 222 + db, err := InitDB(":memory:") 223 + if err != nil { 224 + t.Fatalf("Failed to init database: %v", err) 225 + } 226 + defer db.Close() 227 + 228 + store := NewOAuthStore(db) 229 + ctx := context.Background() 230 + 231 + // Create test session 232 + did, _ := syntax.ParseDID("did:plc:testuser") 233 + sessionData := oauth.ClientSessionData{ 234 + AccountDID: did, 235 + SessionID: "test_session_id", 236 + HostURL: "https://bsky.social", 237 + AuthServerURL: "https://bsky.social", 238 + AuthServerTokenEndpoint: "https://bsky.social/oauth/token", 239 + Scopes: []string{"atproto", "blob:image/png"}, 240 + AccessToken: "test_access_token", 241 + RefreshToken: "test_refresh_token", 242 + DPoPAuthServerNonce: "test_nonce", 243 + DPoPHostNonce: "test_host_nonce", 244 + DPoPPrivateKeyMultibase: "test_key", 245 + } 246 + 247 + // Test SaveSession 248 + if err := store.SaveSession(ctx, sessionData); err != nil { 249 + t.Fatalf("Failed to save session: %v", err) 250 + } 251 + 252 + // Test GetSession 253 + retrieved, err := store.GetSession(ctx, did, "test_session_id") 254 + if err != nil { 255 + t.Fatalf("Failed to get session: %v", err) 256 + } 257 + if retrieved == nil { 258 + t.Fatal("Retrieved session is nil") 259 + } 260 + if retrieved.SessionID != sessionData.SessionID { 261 + t.Errorf("Expected session ID %s, got %s", sessionData.SessionID, retrieved.SessionID) 262 + } 263 + if len(retrieved.Scopes) != len(sessionData.Scopes) { 264 + t.Errorf("Expected %d scopes, got %d", len(sessionData.Scopes), len(retrieved.Scopes)) 265 + } 266 + 267 + // Test UpdateSession (upsert) 268 + sessionData.AccessToken = "new_access_token" 269 + if err := store.SaveSession(ctx, sessionData); err != nil { 270 + t.Fatalf("Failed to update session: %v", err) 271 + } 272 + 273 + retrieved, err = store.GetSession(ctx, did, "test_session_id") 274 + if err != nil { 275 + t.Fatalf("Failed to get updated session: %v", err) 276 + } 277 + if retrieved.AccessToken != "new_access_token" { 278 + t.Errorf("Expected updated access token, got %s", retrieved.AccessToken) 279 + } 280 + 281 + // Test DeleteSession 282 + if err := store.DeleteSession(ctx, did, "test_session_id"); err != nil { 283 + t.Fatalf("Failed to delete session: %v", err) 284 + } 285 + 286 + // Verify deletion 287 + retrieved, err = store.GetSession(ctx, did, "test_session_id") 288 + if err == nil { 289 + t.Error("Expected error after deletion, got nil") 290 + } 291 + } 292 + 293 + func TestCleanupOldSessions(t *testing.T) { 294 + db, err := InitDB(":memory:") 295 + if err != nil { 296 + t.Fatalf("Failed to init database: %v", err) 297 + } 298 + defer db.Close() 299 + 300 + store := NewOAuthStore(db) 301 + ctx := context.Background() 302 + 303 + // Insert old session (31 days ago) 304 + did1, _ := syntax.ParseDID("did:plc:old") 305 + oldSessionData := oauth.ClientSessionData{ 306 + AccountDID: did1, 307 + SessionID: "old_session", 308 + HostURL: "https://bsky.social", 309 + AuthServerURL: "https://bsky.social", 310 + AuthServerTokenEndpoint: "https://bsky.social/oauth/token", 311 + Scopes: []string{"atproto"}, 312 + AccessToken: "old_token", 313 + RefreshToken: "old_refresh", 314 + DPoPAuthServerNonce: "old_nonce", 315 + DPoPHostNonce: "old_host_nonce", 316 + DPoPPrivateKeyMultibase: "old_key", 317 + } 318 + 319 + // Save and manually update timestamp to be old 320 + if err := store.SaveSession(ctx, oldSessionData); err != nil { 321 + t.Fatalf("Failed to save old session: %v", err) 322 + } 323 + 324 + // Update timestamp to 31 days ago 325 + oldTime := time.Now().Add(-31 * 24 * time.Hour) 326 + _, err = db.ExecContext(ctx, ` 327 + UPDATE oauth_sessions 328 + SET updated_at = ? 329 + WHERE session_key = ? 330 + `, oldTime, makeSessionKey(did1.String(), "old_session")) 331 + if err != nil { 332 + t.Fatalf("Failed to update session timestamp: %v", err) 333 + } 334 + 335 + // Insert recent session (1 day ago) 336 + did2, _ := syntax.ParseDID("did:plc:recent") 337 + recentSessionData := oauth.ClientSessionData{ 338 + AccountDID: did2, 339 + SessionID: "recent_session", 340 + HostURL: "https://bsky.social", 341 + AuthServerURL: "https://bsky.social", 342 + AuthServerTokenEndpoint: "https://bsky.social/oauth/token", 343 + Scopes: []string{"atproto"}, 344 + AccessToken: "recent_token", 345 + RefreshToken: "recent_refresh", 346 + DPoPAuthServerNonce: "recent_nonce", 347 + DPoPHostNonce: "recent_host_nonce", 348 + DPoPPrivateKeyMultibase: "recent_key", 349 + } 350 + 351 + if err := store.SaveSession(ctx, recentSessionData); err != nil { 352 + t.Fatalf("Failed to save recent session: %v", err) 353 + } 354 + 355 + // Run cleanup (remove sessions older than 30 days) 356 + if err := store.CleanupOldSessions(ctx, 30*24*time.Hour); err != nil { 357 + t.Fatalf("Failed to cleanup old sessions: %v", err) 358 + } 359 + 360 + // Verify old session was deleted 361 + _, err = store.GetSession(ctx, did1, "old_session") 362 + if err == nil { 363 + t.Error("Expected old session to be deleted") 364 + } 365 + 366 + // Verify recent session still exists 367 + _, err = store.GetSession(ctx, did2, "recent_session") 368 + if err != nil { 369 + t.Errorf("Expected recent session to exist, got error: %v", err) 370 + } 371 + }
+1 -1
pkg/appview/db/readonly.go
··· 92 92 93 93 // Start cleanup goroutines for all SQLite stores 94 94 go func() { 95 - ticker := time.NewTicker(5 * time.Minute) 95 + ticker := time.NewTicker(1 * time.Hour) 96 96 defer ticker.Stop() 97 97 for range ticker.C { 98 98 ctx := context.Background()
+7 -1
pkg/appview/templates/pages/repository.html
··· 196 196 {{ end }} 197 197 </div> 198 198 {{ if .IsManifestList }} 199 - <span class="platform-count">{{ .PlatformCount }} platforms</span> 199 + {{ if .Platforms }} 200 + <div class="platforms-inline"> 201 + {{ range .Platforms }} 202 + <span class="platform-badge">{{ .OS }}/{{ .Architecture }}{{ if .Variant }}/{{ .Variant }}{{ end }}</span> 203 + {{ end }} 204 + </div> 205 + {{ end }} 200 206 {{ end }} 201 207 </div> 202 208 </div>
+27
pkg/auth/oauth/client.go
··· 139 139 fmt.Sprintf("repo:%s", atproto.SailorProfileCollection), 140 140 } 141 141 } 142 + 143 + // ScopesMatch checks if two scope lists are equivalent (order-independent) 144 + // Returns true if both lists contain the same scopes, regardless of order 145 + func ScopesMatch(stored, desired []string) bool { 146 + // Handle nil/empty cases 147 + if len(stored) == 0 && len(desired) == 0 { 148 + return true 149 + } 150 + if len(stored) != len(desired) { 151 + return false 152 + } 153 + 154 + // Build map of desired scopes for O(1) lookup 155 + desiredMap := make(map[string]bool, len(desired)) 156 + for _, scope := range desired { 157 + desiredMap[scope] = true 158 + } 159 + 160 + // Check if all stored scopes exist in desired 161 + for _, scope := range stored { 162 + if !desiredMap[scope] { 163 + return false 164 + } 165 + } 166 + 167 + return true 168 + }
+65
pkg/auth/oauth/client_test.go
··· 1 + package oauth 2 + 3 + import "testing" 4 + 5 + func TestScopesMatch(t *testing.T) { 6 + tests := []struct { 7 + name string 8 + stored []string 9 + desired []string 10 + expected bool 11 + }{ 12 + { 13 + name: "exact match", 14 + stored: []string{"atproto", "blob:image/png"}, 15 + desired: []string{"atproto", "blob:image/png"}, 16 + expected: true, 17 + }, 18 + { 19 + name: "different order", 20 + stored: []string{"blob:image/png", "atproto"}, 21 + desired: []string{"atproto", "blob:image/png"}, 22 + expected: true, 23 + }, 24 + { 25 + name: "missing scope in stored", 26 + stored: []string{"atproto"}, 27 + desired: []string{"atproto", "blob:image/png"}, 28 + expected: false, 29 + }, 30 + { 31 + name: "extra scope in stored", 32 + stored: []string{"atproto", "blob:image/png", "extra"}, 33 + desired: []string{"atproto", "blob:image/png"}, 34 + expected: false, 35 + }, 36 + { 37 + name: "both empty", 38 + stored: []string{}, 39 + desired: []string{}, 40 + expected: true, 41 + }, 42 + { 43 + name: "nil vs empty", 44 + stored: nil, 45 + desired: []string{}, 46 + expected: true, 47 + }, 48 + { 49 + name: "completely different", 50 + stored: []string{"foo", "bar"}, 51 + desired: []string{"baz", "qux"}, 52 + expected: false, 53 + }, 54 + } 55 + 56 + for _, tt := range tests { 57 + t.Run(tt.name, func(t *testing.T) { 58 + result := ScopesMatch(tt.stored, tt.desired) 59 + if result != tt.expected { 60 + t.Errorf("ScopesMatch(%v, %v) = %v, want %v", 61 + tt.stored, tt.desired, result, tt.expected) 62 + } 63 + }) 64 + } 65 + }
+16 -1
pkg/auth/oauth/refresher.go
··· 106 106 return nil, fmt.Errorf("store must implement GetLatestSessionForDID (SQLite store required)") 107 107 } 108 108 109 - _, sessionID, err := getter.GetLatestSessionForDID(ctx, did) 109 + sessionData, sessionID, err := getter.GetLatestSessionForDID(ctx, did) 110 110 if err != nil { 111 111 return nil, fmt.Errorf("no session found for DID: %s", did) 112 + } 113 + 114 + // Validate that session scopes match current desired scopes 115 + desiredScopes := r.app.GetConfig().Scopes 116 + if !ScopesMatch(sessionData.Scopes, desiredScopes) { 117 + fmt.Printf("DEBUG [oauth/refresher]: Scope mismatch for DID %s - deleting session\n", did) 118 + fmt.Printf(" Stored scopes: %v\n", sessionData.Scopes) 119 + fmt.Printf(" Desired scopes: %v\n", desiredScopes) 120 + 121 + // Delete the session from database since scopes have changed 122 + if err := r.app.clientApp.Store.DeleteSession(ctx, accountDID, sessionID); err != nil { 123 + fmt.Printf("WARNING [oauth/refresher]: Failed to delete session with mismatched scopes: %v\n", err) 124 + } 125 + 126 + return nil, fmt.Errorf("OAuth scopes changed, re-authentication required") 112 127 } 113 128 114 129 // Resume session