fix(auth): validate token issuer, drop 2FA email gate, unify email-change SQL #125

Closed

David wants to merge 1 commit from david/fix/jwt-auth-issuer-2fa-gate-sql-split into main AGit

pull from: david/fix/jwt-auth-issuer-2fa-gate-sql-split

merge into: psa-systems:main

psa-systems:main

psa-systems:fix/dev-loopback-ports

psa-systems:feat/billing-webhook-idempotency

psa-systems:docs/billing-m1-plan

Conversation 0 Commits 1 Files changed 5 +88 -82

David commented 2026-06-12 05:10:10 +02:00

Owner

Copy link

verify_refresh_token and verify_2fa_challenge_token now call set_issuer so cross-deploy tokens fail closed, matching the access-token path; iss is added to RefreshTokenClaims and TwoFactorChallengeClaims and stamped at creation. Remove the unused decode_without_validation footgun (zero callers) that disabled expiry and signature checks. request_email_verification no longer requires 2FA to be enabled, since the verification token itself proves ownership. The email-change immediate and confirm paths now run through executor-generic repository methods (lock_for_update, find_by_id_for_update, email_exists, update_email, revoke_all_user_refresh_tokens, confirm_email_change_request) instead of raw inline SQL, keeping query ownership in the repositories.

#BUNYIP-75

verify_refresh_token and verify_2fa_challenge_token now call set_issuer so cross-deploy tokens fail closed, matching the access-token path; iss is added to RefreshTokenClaims and TwoFactorChallengeClaims and stamped at creation. Remove the unused decode_without_validation footgun (zero callers) that disabled expiry and signature checks. request_email_verification no longer requires 2FA to be enabled, since the verification token itself proves ownership. The email-change immediate and confirm paths now run through executor-generic repository methods (lock_for_update, find_by_id_for_update, email_exists, update_email, revoke_all_user_refresh_tokens, confirm_email_change_request) instead of raw inline SQL, keeping query ownership in the repositories. #BUNYIP-75

David added 1 commit 2026-06-12 05:10:10 +02:00

fix(auth): validate token issuer, drop 2FA email gate, unify email-change SQL ... b9d8f30bc2

verify_refresh_token and verify_2fa_challenge_token now call set_issuer so cross-deploy tokens fail closed, matching the access-token path; iss is added to RefreshTokenClaims and TwoFactorChallengeClaims and stamped at creation. Remove the unused decode_without_validation footgun (zero callers) that disabled expiry and signature checks. request_email_verification no longer requires 2FA to be enabled, since the verification token itself proves ownership. The email-change immediate and confirm paths now run through executor-generic repository methods (lock_for_update, find_by_id_for_update, email_exists, update_email, revoke_all_user_refresh_tokens, confirm_email_change_request) instead of raw inline SQL, keeping query ownership in the repositories.

#BUNYIP-75

David referenced this pull request 2026-06-12 11:42:58 +02:00

fix(auth): validate token issuer, drop 2FA email gate, unify email-change SQL #129

David closed this pull request 2026-06-12 11:43:02 +02:00

All checks were successful

Hide all checks

Check / fmt / clippy / build / test (pull_request) Successful in 1m0s

Details

Create release / Create release from merged PR (pull_request) Has been skipped

Details

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

psa-systems/bunyip!125

No description provided.