Add token revocation mechanism and support for logout APIs

This commit introduces a system to revoke tokens by storing their `jti` in a new `RevokedToken` model. It includes APIs for logging out (revoking a current token) and logging out from all devices (revoking all tokens). Additionally, token validation now checks revocation status during the decode process.
2025-02-28 17:45:33 +01:00
parent aa77752981
commit 8814dc931f
8 changed files with 270 additions and 208 deletions
--- a/backend/app/models/user.py
+++ b/backend/app/models/user.py
@@ -25,6 +25,7 @@ class User(Base, UUIDMixin, TimestampMixin):
        foreign_keys="EventManager.user_id"
    )
    guest_profiles = relationship("Guest", back_populates="user", foreign_keys="Guest.user_id")
+    revoked_tokens = relationship("RevokedToken", back_populates="user", cascade="all, delete")

    def __repr__(self):
        return f"<User {self.email}>"